-description: Learn how to integrate Azure AD B2C authentication with whoIam for user verification

-# Customer intent: As an IT admin, I want to integrate Azure Active Directory B2C with StrataMaverics Identity Orchestrator. I need to protect on-premises applications and enable customer single sign-on (SSO) to hybrid apps.

-# Tutorial to configure Azure Active Directory B2C with Strata

-In this tutorial, learn how to integrate Azure Active Directory B2C (Azure AD B2C) with Strata [Maverics Identity Orchestrator](https://www.strata.io/), which helps protect on-premises applications. It connects to identity systems, migrates users and credentials, synchronizes policies and configurations, and abstracts authentication and session management. Use Strata to transition from legacy, to Azure AD B2C, without rewriting applications.

-The solution has the following benefits:

- - Users sign in with accounts hosted in Azure AD B2C or identity provider (IdP)

- - Maverics proves SSO to apps historically secured by legacy identity systems like Symantec SiteMinder

-## Prerequisites

-To get started, you'll need:

-* An Azure subscription

- - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/)

-## Scenario description

-Maverics Identity Orchestrator integration includes the following components:

- - Authenticated users access on-premises apps using a local account in the Azure AD B2C directory

- - See, [Add an identity provider to your Azure Active Directory B2C tenant](./add-identity-provider.md)

-The following architecture diagram shows the implementation.

- 

-1. The user requests access the on-premises hosted application. Maverics Identity Orchestrator proxies the request to the application.

-2. Orchestrator checks the user authentication state. If there's no session token, or the token is invalid, the user goes to Azure AD B2C for authentication

-3. Azure AD B2C sends the authentication request to the configured social IdP.

-4. The IdP challenges the user for credential. Multifactor authentication (MFA) might be required.

-5. The IdP sends the authentication response to Azure AD B2C. The user can create a local account in the Azure AD B2C directory.

-6. Azure AD B2C sends the user request to the endpoint specified during the Orchestrator app registration in the Azure AD B2C tenant.

-7. The Orchestrator evaluates access policies and attribute values for HTTP headers forwarded to the app. Orchestrator might call to other attribute providers to retrieve information to set the header values. The Orchestrator sends the request to the app.

-8. The user is authenticated and has access to the app.

-## Maverics Identity Orchestrator

-To get software and documentation, go to strata.io [Contact Strata Identity](https://www.strata.io/company/contact/). Determine Orchestrator prerequisites. Install and configure.

-## Configure your Azure AD B2C tenant

-During the following instructions, document:

-* Tenant name and identifier

-* Client ID

-* Client secret

-* Configured claims

-* Redirect URI

-1. [Register a web application in Azure Active Directory B2C](./tutorial-register-applications.md?tabs=app-reg-ga) in Azure AD B2C tenant.

-2. Grant Microsoft MS Graph API permissions to your applications. Use permissions: `offline_access`, `openid`.

-3. Add a redirect URI that matches the `oauthRedirectURL` parameter of the Orchestrator Azure AD B2C connector configuration, for example, `https://example.com/oidc-endpoint`.

-4. [Create user flows and custom policies in Azure Active Directory B2C](./tutorial-create-user-flows.md).

-5. [Add an identity provider to your Azure Active Directory B2C tenant](./add-identity-provider.md). Sign in your user with a local account, a social, or enterprise.

-6. Define the attributes to be collected during sign-up.

-7. Specify attributes to be returned to the application with your Orchestrator instance.

-> [!NOTE]

-> The Orchestrator consumes attributes from claims returned by Azure AD B2C and can retrieve attributes from connected identity systems such as LDAP directories and databases. Those attributes are in HTTP headers and sent to the upstream on-premises application.

-## Configure Maverics Identity Orchestrator

-Use the instructions in the following sections to configure an Orchestrator instance.

-### Maverics Identity Orchestrator server requirements

-You can run your Orchestrator instance on any server, whether on-premises or in a public cloud infrastructure by provider such as Azure, AWS, or GCP.

-### Install Maverics Identity Orchestrator

-1. Obtain the latest Maverics RPM package.

-2. Place the package on the system you'd like to install Maverics. If you're copying to a remote host, use SSH [scp](https://www.ssh.com/academy/ssh/scp).

-3. Run the following command. Use your filename to replace `maverics.rpm`.

- `sudo rpm -Uvf maverics.rpm`

- By default, Maverics is in the `/usr/local/bin` directory.

-4. Maverics runs as a service under `systemd`.

-5. To verify Maverics service is running, run the following command:

- `sudo service maverics status`

-6. The following message (or similar) appears.

-```

-Redirecting to /bin/systemctl status maverics.service

- maverics.service - Maverics

- Loaded: loaded (/etc/systemd/system/maverics.service; enabled; vendor preset: disabled)

- Active: active (running) since Thu 2020-08-13 16:48:01 UTC; 24h ago

- Main PID: 330772 (maverics)

- Tasks: 5 (limit: 11389)

- Memory: 14.0M

- CGroup: /system.slice/maverics.service

- ΓööΓöÇ330772 /usr/local/bin/maverics --config /etc/maverics/maverics.yaml

- ```

-> [!NOTE]

-> If Maverics fails to start, execute the following command:

- `journalctl --unit=maverics.service --reverse`

- The most recent log entry appears in the output.

-7. The default `maverics.yaml` file is created in the `/etc/maverics` directory.

-8. Configure your Orchestrator to protect the application.

-9. Integrate with Azure AD B2C, and store.

-10. Retrieve secrets from [Azure Key Vault](https://azure.microsoft.com/services/key-vault/?OCID=AID2100131_SEM_bf7bdd52c7b91367064882c1ce4d83a9:G:s&ef_id=bf7bdd52c7b91367064882c1ce4d83a9:G:s&msclkid=bf7bdd52c7b91367064882c1ce4d83a9).

-11. Define the location from where the Orchestrator reads its configuration.

-### Supply configuration using environment variables

-Configure your Orchestrator instances with environment variables.

-`MAVERICS_CONFIG`

-This environment variable informs the Orchestrator instance what YAML configuration files to use, and where to find them during startup or restart. Set the environment variable in `/etc/maverics/maverics.env`.

-### Create the Orchestrator TLS configuration

-The `tls` field in `maverics.yaml` declares the transport layer security configurations your Orchestrator instance uses. Connectors use TLS objects and the Orchestrator server.

-The `maverics` key is reserved for the Orchestrator server. Use other keys to inject a TLS object into a connector.

-```yaml

-tls:

- maverics:

- certFile: /etc/maverics/maverics.cert

- keyFile: /etc/maverics/maverics.key

-```

-### Configure the Azure AD B2C Connector

-Orchestrators use Connectors to integrate with authentication and attribute providers. The Orchestrators App Gateway uses the Azure AD B2C connector as an authentication and attribute provider. Azure AD B2C uses the social IdP for authentication and then provides attributes to the Orchestrator, passing them in claims set in HTTP headers.

-The Connector configuration corresponds to the app registered in the Azure AD B2C tenant.

-1. From your app config, copy the Client ID, Client secret, and redirect URI into your tenant.

-2. Enter a Connector name (example is `azureADB2C`).

-3. Set the connector `type` to be `azure`.

-4. Make a note of the Connector name. You'll use this value in other configuration parameters.

-5. Set the `authType` to `oidc`.

-6. For the `oauthClientID` parameter, set the Client ID you copied.

-7. For the `oauthClientSecret` parameter, set the Client secret you copied.

-8. For the `oauthRedirectURL` parameter, set the redirect URI you copied.

-9. The Azure AD B2C OIDC Connector uses the OIDC endpoint to discover metadata, including URLs and signing keys. For the tenant endpoint, use `oidcWellKnownURL`.

-```yaml

-connectors:

- name: azureADB2C

- type: azure

- oidcWellKnownURL: https://<tenant name>.b2clogin.com/<tenant name>.onmicrosoft.com/B2C_1_login/v2.0/.well-known/openid-configuration

- oauthRedirectURL: https://example.com/oidc-endpoint

- oauthClientID: <azureADB2CClientID>

- oauthClientSecret: <azureADB2CClientSecret>

- authType: oidc

-```

-### Define Azure AD B2C as your authentication provider

-An authentication provider determines authentication for users who don't present a valid session during an app resource request. Azure AD B2C tenant configuration determines how users are challenged for credentials, while it applies other authentication policies. An example is to require a second factor to complete authentication and decide what is returned to the Orchestrator App Gateway, after authentication.

-The value for the `authProvider` must match your Connector `name` value.

-```yaml

-authProvider: azureADB2C

-```

-### Protect on-premises apps with an Orchestrator App Gateway

-The Orchestrator App Gateway configuration declares how Azure AD B2C protects your application and how users access the app.

-1. Enter an App gateway name.

-2. Set the `location`. The example uses the app root `/`.

-3. Define the protected application in `upstream`. Use the host:port convention: `https://example.com:8080`.

-4. Set the values for error and unauthorized pages.

-5. Define the HTTP header names and attribute values for the application to establish authentication and control. Header names typically correspond to app configuration. Attribute values are namespaced by the Connector. In the example, values returned from Azure AD B2C are prefixed with the Connector name `azureADB2C`. The suffix is the attribute name with the required value, for example `given_name`.

-6. Set the policies. Three actions are defined: `allowUnauthenticated`, `allowAnyAuthenticated`, and `allowIfAny`. Each action is associated with a `resource`. Policy is evaluated for that `resource`.

->[!NOTE]

->`headers` and `policies` use JavaScript or GoLang service extensions to implement arbitrary logic.

-```yaml

-appgateways:

- - name: Sonar

- location: /

- upstream: https://example.com:8080

- errorPage: https://example.com:8080/sonar/error

- unauthorizedPage: https://example.com:8080/sonar/accessdenied

- headers:

- SM_USER: azureADB2C.sub

- firstname: azureADB2C.given_name

- lastname: azureADB2C.family_name

- policies:

- - resource: ~ \.(jpg|png|ico|svg)

- allowUnauthenticated: true

- - resource: /

- allowAnyAuthenticated: true

- - resource: /sonar/daily_deals

- allowIfAny:

- azureADB2C.customAttribute: Rewards Member

-```

-### Azure Key Vault as secrets provider

-Secure the secrets your Orchestrator uses to connect to Azure AD B2C, and other identity systems. Maverics load secrets in plain text out of `maverics.yaml`, however, in this tutorial, use Azure Key Vault as the secrets provider.

-Follow the instructions in, [Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal](../key-vault/secrets/quick-create-portal.md). Add your secrets to the vault and make a note of the `SECRET NAME` for each secret. For example, `AzureADB2CClientSecret`.

-To declare a value as a secret in a `maverics.yaml` config file, wrap the secret with angle brackets:

-```yaml

-connectors:

- - name: AzureADB2C

- type: azure

- oauthClientID: <AzureADB2CClientID>

- oauthClientSecret: <AzureADB2CClientSecret>

-```

-The value in the angle brackets must correspond to the `SECRET NAME` given to a secret in your Azure Key Vault.

-To load secrets from Azure Key Vault, set the environment variable `MAVERICS_SECRET_PROVIDER` in the file `/etc/maverics/maverics.env`, with the credentials found in the azure-credentials.json file. Use the following pattern:

-`MAVERICS_SECRET_PROVIDER='azurekeyvault://<KEYVAULT NAME>.vault.azure.net?clientID=<APPID>&clientSecret=<PASSWORD>&tenantID=<TENANT>'`

-### Complete the configuration

-The following information illustrates how Orchestrator configuration appears.

-```yaml

-version: 0.4.2

-listenAddress: ":443"

-tls:

- maverics:

- certFile: certs/maverics.crt

- keyFile: certs/maverics.key

-authProvider: azureADB2C

-connectors:

- - name: azureADB2C

- type: azure

- oidcWellKnownURL: https://<tenant name>.b2clogin.com/<tenant name>.onmicrosoft.com/B2C_1_login/v2.0/.well-known/openid-configuration

- oauthRedirectURL: https://example.com/oidc-endpoint

- oauthClientID: <azureADB2CClientID>

- oauthClientSecret: <azureADB2CClientSecret>

- authType: oidc

-appgateways:

- - name: Sonar

- location: /

- upstream: http://example.com:8080

- errorPage: http://example.com:8080/sonar/accessdenied

- unauthorizedPage: http://example.com:8080/sonar/accessdenied

- headers:

- SM_USER: azureADB2C.sub

- firstname: azureADB2C.given_name

- lastname: azureADB2C.family_name

- policies:

- - resource: ~ \.(jpg|png|ico|svg)

- allowUnauthenticated: true

- - resource: /

- allowAnyAuthenticated: true

- - resource: /sonar/daily_deals

- allowIfAny:

- azureADB2C.customAttribute: Rewards Member

-```

-## Test the flow

-1. Navigate to the on-premises application URL, `https://example.com/sonar/dashboard`.

-2. The Orchestrator redirects to the user flow page.

-3. From the list, select the IdP.

-4. Enter credentials, including an MFA token, if required by the IdP.

-5. You're redirected to Azure AD B2C, which forwards the app request to the Orchestrator redirect URI.

-6. The Orchestrator evaluates policies, and calculates headers.

-7. The requested application appears.

-## Next steps

-The Azure Cost Optimization workbook is designed to provide an overview and help you optimize costs of your Azure environment. It offers a set of cost-relevant insights and recommendations aligned with the WAF Cost Optimization pillar.

-The Azure Cost Optimization workbook serves as a centralized hub for some of the most commonly used tools that can help you drive utilization and efficiency goals. It offers a range of recommendations, including Azure Advisor cost recommendations, identification of idle resources, and management of improperly deallocated Virtual Machines. Additionally, it provides insights into using Azure Hybrid benefit options for Windows, Linux, and SQL databases. The workbook template is available in Azure Advisor gallery.

-1. Navigate to [Workbooks gallery](https://aka.ms/advisorworkbooks) in Azure Advisor

-1. Open **Cost Optimization (Preview)** workbook template.

-The workbook is organized into different tabs, each focusing on a specific area to help you reduce the cost of your Azure environment.

-* Compute

-* Azure Hybrid Benefit

-* Storage

-* Networking

-* **Filters** - use subscription, resource group and tag filters to focus on a specific workload.

-> The workbook serves as guidance and does not guarantee cost reduction.

-## Compute

-### Advisor recommendations

-This query focuses on reviewing the Advisor recommendations related to compute. Some of the recommendations available in this query could be *Optimize virtual machine spend by resizing or shutting down underutilized instances* or *Buy reserved virtual machine instances to save money over pay-as-you-go costs*.

-### Virtual machines in Stopped State

-This query identifies Virtual Machines that are not properly deallocated. If a virtual machineΓÇÖs status is *Stopped* rather than *Stopped (Deallocated)*, you are still billed for the resource as the hardware remains allocated for you.

-### Web Apps

-This query helps identify Azure App Services with and without Auto Scale, and App Services where the actual app might be stopped.

-### Azure Kubernetes Clusters (AKS)

-This query focuses on cost optimization opportunities specific to Azure Kubernetes Clusters (AKS). It provides recommendations such as:

-* Enabling cluster autoscaler to automatically adjust the number of agent nodes in response to resource constraints.

-* Considering the use of Azure Spot VMs for workloads that can handle interruptions, early terminations, or evictions.

-* Utilizing the Horizontal Pod Autoscaler to adjust the number of pods in a deployment based on CPU utilization or other selected metrics.

-* Using the Start/Stop feature in Azure Kubernetes Services (AKS) to optimize cost during off-peak hours.

-* Using appropriate VM SKUs per node pool and considering reserved instances where long-term capacity is expected.

-Windows VMs and VMSS not using Hybrid Benefit

-Azure Hybrid Benefit represents an excellent opportunity to save on Virtual Machines OS costs. You can see potential savings using Azure Hybrid Benefit Calculator Check this link to learn more about the Azure Hybrid Benefit.

-> If you have selected Dev/Test subscription(s) within the scope of this Workbook then they should already have discounts on Windows licenses so recommendations here donΓÇÖt apply to this subscription(s)

-### Linux VM not using Hybrid Benefit

-Similar to Windows VMs, Azure Hybrid Benefit provides an excellent opportunity to save on Virtual Machine OS costs. The Azure Hybrid Benefit for Linux is a licensing benefit that significantly reduces the costs of running Red Hat Enterprise Linux (RHEL) and SUSE Linux Enterprise Server (SLES) virtual machines (VMs) in the cloud.

-### SQL HUB Licenses

-Azure Hybrid Benefit can also be applied to SQL services, such as SQL server on VMs, SQL Database or SQL Managed Instance.

-## Storage

-### Advisor recommendations

-Review the Advisor recommendations for Storage. This section provides insights into various recommendations such as ΓÇ£Blob storage reserved capacityΓÇ¥ or ΓÇ£Use lifecycle management.ΓÇ¥ These recommendations can help optimize your storage costs and improve efficiency.

-Unattached Managed Disks

-This query focuses on the list of managed unattached disks. It automatically ignores disks used by Azure Site Recovery. Use this information to identify and remove any unattached disks that are no longer needed.

-> This query has a Quick Fix column that helps you to remove the disk if not needed.

-### Disk snapshots older than 30 days

-This query identifies snapshots that are older than 30 days. Identifying and managing outdated snapshots can help you optimize storage costs and ensure efficient use of your Azure environment.

-## Networking

-### Advisor recommendations

-Review the Advisor recommendations for Networking. This section provides insights into various recommendations, such as ΓÇ£Reduce costs by deleting or reconfiguring idle virtual network gatewaysΓÇ¥ or ΓÇ£Reduce costs by eliminating unprovisioned ExpressRoute circuits.ΓÇ¥

-### Application Gateway with empty backend pool

-Review the Application Gateways with empty backend pools. App gateways are considered idle if there isnΓÇÖt any backend pool with targets.

-### Load Balancer with empty backend pool

-Review the Load Balancers with empty backend pools. Load Balancers are considered idle if there isnΓÇÖt any backend pool with targets.

-### Unattached Public IPs

-Review the list of idle Public IP Addresses. This query also shows Public IP addresses attached to idle Network Interface Cards (NICs)

-### Idle Virtual Network Gateways

-Review the Idle Virtual Network Gateways. This query shows VPN Gateways without any active connection.

-By default, your subscription uses Microsoft-managed encryption keys. There is also the option to manage your subscription with your own keys called customer-managed keys (CMK). CMK offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.

-There is also an option to manage your subscription with your own keys. Customer-managed keys (CMK), also known as Bring your own key (BYOK), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.

-* Migration to an E0 resource will be blocked. Users will only be able to migrate their apps to F0 resources. After you've migrated an existing resource to F0, you can create a new resource in the E0 tier. Learn more about [migration here](./luis-migration-authoring.md).

-* Moving applications to or from an E0 resource will be blocked. A work around for this limitation is to export your existing application, and import it as an E0 resource.

-* Data used to train the model such as entities, intents, and utterances will be saved in LUIS for the lifetime of the application. If an owner or contributor deletes the app, this data will be deleted with it. If an application hasn't been used in 90 days, it will be deleted.

-* Application authors can choose to [enable logging](how-to/improve-application.md#log-user-queries-to-enable-active-learning) on the utterances that are sent to a published application. If enabled, utterances will be saved for 30 days, and can be viewed by the application author. If logging isn't enabled when the application is published, this data is not stored.

-[Disabling active learning](how-to/improve-application.md) is disables logging.

-If you have [migrated to an authoring resource](./luis-migration-authoring.md), deleting the resource itself from the Azure portal will delete all your applications associated with that resource, along with their example utterances and logs. The data is retained for 90 days before it is deleted permanently.

-For the purposes of data retention and deletion, an inactive LUIS app may at _MicrosoftΓÇÖs discretion_ be treated as an expired subscription. An app is considered inactive if it meets the following criteria for the last 90 days:

-[Learn about exporting and deleting an app](how-to/sign-in.md)

-An app owner can add contributors to apps. These contributors can modify the model, train, and publish the app. Once you have [migrated](luis-migration-authoring.md) your account, _contributors_ are managed in the Azure portal for the authoring resource, using the **Access control (IAM)** page. Add a user, using the collaborator's email address and the _contributor_ role.

-* A second solution, is by using the [Microsoft Entra identity and access management API in Microsoft Graph](/graph/azuread-identity-access-management-concept-overview) to provide consent to each specific user.

-* Learn [how to create](luis-how-to-azure-subscription.md) authoring and runtime resources

-* Migrate to the new [authoring resource](luis-migration-authoring.md)

-description: The version 1 endpoint and authoring Language Understanding APIs are deprecated. Use this guide to understand how to migrate to version 2 endpoint and authoring APIs.

-#

-# API v1 to v2 Migration guide for LUIS apps

-The version 1 [endpoint](https://aka.ms/v1-endpoint-api-docs) and [authoring](https://aka.ms/v1-authoring-api-docs) APIs are deprecated. Use this guide to understand how to migrate to version 2 [endpoint](https://go.microsoft.com/fwlink/?linkid=2092356) and [authoring](https://go.microsoft.com/fwlink/?linkid=2092087) APIs.

-## New Azure regions

-LUIS has new [regions](./luis-reference-regions.md) provided for the LUIS APIs. LUIS provides a different portal for region groups. The application must be authored in the same region you expect to query. Applications do not automatically migrate regions. You export the app from one region then import into another for it to be available in a new region.

-## Authoring route changes

-The authoring API route changed from using the **prog** route to using the **api** route.

-| version | route |

-|--|--|

-|1|/luis/v1.0/**prog**/apps|

-|2|/luis/**api**/v2.0/apps|

-## Endpoint route changes

-The endpoint API has new query string parameters as well as a different response. If the verbose flag is true, all intents, regardless of score, are returned in an array named intents, in addition to the topScoringIntent.

-| version | GET route |

-|--|--|

-|1|/luis/v1/application?ID={appId}&q={q}|

-|2|/luis/v2.0/apps/{appId}?q={q}[&timezoneOffset][&verbose][&spellCheck][&staging][&bing-spell-check-subscription-key][&log]|

-v1 endpoint success response:

-```json

-{

- "odata.metadata":"https://dialogice.cloudapp.net/odata/$metadata#domain","value":[

- {

- "id":"bccb84ee-4bd6-4460-a340-0595b12db294","q":"turn on the camera","response":"[{\"intent\":\"OpenCamera\",\"score\":0.976928055},{\"intent\":\"None\",\"score\":0.0230718572}]"

- }

- ]

-}

-```

-v2 endpoint success response:

-```json

-{

- "query": "forward to frank 30 dollars through HSBC",

- "topScoringIntent": {

- "intent": "give",

- "score": 0.3964121

- },

- "entities": [

- {

- "entity": "30",

- "type": "builtin.number",

- "startIndex": 17,

- "endIndex": 18,

- "resolution": {

- "value": "30"

- }

- },

- {

- "entity": "frank",

- "type": "frank",

- "startIndex": 11,

- "endIndex": 15,

- "score": 0.935219169

- },

- {

- "entity": "30 dollars",

- "type": "builtin.currency",

- "startIndex": 17,

- "endIndex": 26,

- "resolution": {

- "unit": "Dollar",

- "value": "30"

- }

- },

- {

- "entity": "hsbc",

- "type": "Bank",

- "startIndex": 36,

- "endIndex": 39,

- "resolution": {

- "values": [

- "BankeName"

- ]

- }

- }

- ]

-}

-```

-## Key management no longer in API

-The subscription endpoint key APIs are deprecated, returning 410 GONE.

-| version | route |

-|--|--|

-|1|/luis/v1.0/prog/subscriptions|

-|1|/luis/v1.0/prog/subscriptions/{subscriptionKey}|

-Azure [endpoint keys](luis-how-to-azure-subscription.md) are generated in the Azure portal. You assign the key to a LUIS app on the **[Publish](luis-how-to-azure-subscription.md)** page. You do not need to know the actual key value. LUIS uses the subscription name to make the assignment.

-## New versioning route

-The v2 model is now contained in a [version](luis-how-to-manage-versions.md). A version name is 10 characters in the route. The default version is "0.1".

-| version | route |

-|--|--|

-|1|/luis/v1.0/**prog**/apps/{appId}/entities|

-|2|/luis/**api**/v2.0/apps/{appId}/**versions**/{versionId}/entities|

-## Metadata renamed

-Several APIs that return LUIS metadata have new names.

-| v1 route name | v2 route name |

-|--|--|

-|PersonalAssistantApps |assistants|

-|applicationcultures|cultures|

-|applicationdomains|domains|

-|applicationusagescenarios|usagescenarios|

-## "Sample" renamed to "suggest"

-LUIS suggests utterances from existing [endpoint utterances](how-to/improve-application.md) that may enhance the model. In the previous version, this was named **sample**. In the new version, the name is changed from sample to **suggest**. This is called **[Review endpoint utterances](how-to/improve-application.md)** in the LUIS website.

-| version | route |

-|--|--|

-|1|/luis/v1.0/**prog**/apps/{appId}/entities/{entityId}/**sample**|

-|1|/luis/v1.0/**prog**/apps/{appId}/intents/{intentId}/**sample**|

-|2|/luis/**api**/v2.0/apps/{appId}/**versions**/{versionId}/entities/{entityId}/**suggest**|

-|2|/luis/**api**/v2.0/apps/{appId}/**versions**/{versionId}/intents/{intentId}/**suggest**|

-## Create app from prebuilt domains

-[Prebuilt domains](./howto-add-prebuilt-models.md) provide a predefined domain model. Prebuilt domains allow you to quickly develop your LUIS application for common domains. This API allows you to create a new app based on a prebuilt domain. The response is the new appID.

-|v2 route|verb|

-|--|--|

-|/luis/api/v2.0/apps/customprebuiltdomains |get, post|

-|/luis/api/v2.0/apps/customprebuiltdomains/{culture} |get|

-## Importing 1.x app into 2.x

-The exported 1.x app's JSON has some areas that you need to change before importing into [LUIS][LUIS] 2.0.

-### Prebuilt entities

-The [prebuilt entities](./howto-add-prebuilt-models.md) have changed. Make sure you are using the V2 prebuilt entities. This includes using [datetimeV2](luis-reference-prebuilt-datetimev2.md), instead of datetime.

-### Actions

-The actions property is no longer valid. It should be an empty

-### Labeled utterances

-V1 allowed labeled utterances to include spaces at the beginning or end of the word or phrase. Removed the spaces.

-## Common reasons for HTTP response status codes

-See [LUIS API response codes](luis-reference-response-codes.md).

-## Next steps

-Use the v2 API documentation to update existing REST calls to LUIS [endpoint](https://go.microsoft.com/fwlink/?linkid=2092356) and [authoring](https://go.microsoft.com/fwlink/?linkid=2092087) APIs.

-[LUIS]: ./luis-reference-regions.md

-description: This article describes how to migrate Language Understanding (LUIS) authoring authentication from an email account to an Azure resource.

-#

-# Migrate to an Azure resource authoring key

-> [!IMPORTANT]

-> As of December 3rd 2020, existing LUIS users must have completed the migration process to continue authoring LUIS applications.

-Language Understanding (LUIS) authoring authentication has changed from an email account to an Azure resource. Use this article to learn how to migrate your account, if you haven't migrated yet.

-## What is migration?

-Migration is the process of changing authoring authentication from an email account to an Azure resource. Your account will be linked to an Azure subscription and an Azure authoring resource after you migrate.

-Migration has to be done from the [LUIS portal](https://www.luis.ai). If you create the authoring keys by using the LUIS CLI, for example, you'll need to complete the migration process in the LUIS portal. You can still have co-authors on your applications after migration, but these will be added on the Azure resource level instead of the application level. Migrating your account can't be reversed.

-> [!Note]

-> * If you need to create a prediction runtime resource, there's [a separate process](luis-how-to-azure-subscription.md#create-luis-resources) to create it.

-> * See the [migration notes](#migration-notes) section below for information on how your applications and contributors will be affected.

-> * Authoring your LUIS app is free, as indicated by the F0 tier. Learn [more about pricing tiers](luis-limits.md#resource-usage-and-limits).

-## Migration prerequisites

-* A valid Azure subscription. Ask your tenant admin to add you on the subscription, or [sign up for a free one](https://azure.microsoft.com/free/cognitive-services).

-* A LUIS Azure authoring resource from the LUIS portal or from the [Azure portal](https://portal.azure.com/#create/Microsoft.CognitiveServicesLUISAllInOne).

- * Creating an authoring resource from the LUIS portal is part of the migration process described in the next section.

-* If you're a collaborator on applications, applications won't automatically migrate. You will be prompted to export these apps while going through the migration flow. You can also use the [export API](https://westus.dev.cognitive.microsoft.com/docs/services/5890b47c39e2bb17b84a55ff/operations/5890b47c39e2bb052c5b9c40). You can import the app back into LUIS after migration. The import process creates a new app with a new app ID, for which you're the owner.

-* If you're the owner of the application, you won't need to export your apps because they'll migrate automatically. An email template with a list of all collaborators for each application is provided, so they can be notified of the migration process.

-## Migration steps

-1. When you sign-in to the [LUIS portal](https://www.luis.ai), an Azure migration window will open with the steps for migration. If you dismiss it, you won't be able to proceed with authoring your LUIS applications, and the only action displayed will be to continue with the migration.

- > [!div class="mx-imgBorder"]

- > 

-2. If you have collaborators on any of your apps, you will see a list of application names owned by you, along with the authoring region and collaborator emails on each application. We recommend sending your collaborators an email notifying them about the migration by clicking on the **send** symbol button on the left of the application name.

-A `*` symbol will appear next to the application name if a collaborator has a prediction resource assigned to your application. After migration, these apps will still have these prediction resources assigned to them even though the collaborators will not have access to author your applications. However, this assignment will be broken if the owner of the prediction resource [regenerated the keys](./luis-how-to-azure-subscription.md#regenerate-an-azure-key) from the Azure portal.

- > [!div class="mx-imgBorder"]

- > 

- For each collaborator and app, the default email application opens with a lightly formatted email. You can edit the email before sending it. The email template includes the exact app ID and app name.

- ```html

- Dear Sir/Madam,

- I will be migrating my LUIS account to Azure. Consequently, you will no longer have access to the following app:

- App Id: <app-ID-omitted>

- App name: Human Resources

- Thank you

- ```

- > [!Note]

- > After you migrate your account to Azure, your apps will no longer be available to collaborators.

-3. If you're a collaborator on any apps, a list of application names shared with you is shown along with the authoring region and owner emails on each application. It is recommend to export a copy of the apps by clicking on the export button on the left of the application name. You can import these apps back after you migrate, because they won't be automatically migrated with you.

-A `*` symbol will appear next to the application name if you have a prediction resource assigned to an application. After migration, your prediction resource will still be assigned to these applications even though you will no longer have access to author these apps. If you want to break the assignment between your prediction resource and the application, you will need to go to Azure portal and [regenerate the keys](./luis-how-to-azure-subscription.md#regenerate-an-azure-key).

- > [!div class="mx-imgBorder"]

- > 

-4. In the window for migrating regions, you will be asked to migrate your applications to an Azure resource in the same region they were authored in. LUIS has three authoring regions [and portals](./luis-reference-regions.md#luis-authoring-regions). The window will show the regions where your owned applications were authored. The displayed migration regions may be different depending on the regional portal you use, and apps you've authored.

- > [!div class="mx-imgBorder"]

- > 

-5. For each region, choose to create a new LUIS authoring resource, or to migrate to an existing one using the buttons.

- > [!div class="mx-imgBorder"]

- > 

- Provide the following information:

- * **Tenant Name**: The tenant that your Azure subscription is associated with. By default this is set to the tenant you're currently using. You can switch tenants by closing this window and selecting the avatar in the top right of the screen, containing your initials. Select **Migrate to Azure** to re-open the window.

- * **Azure Subscription Name**: The subscription that will be associated with the resource. If you have more than one subscription that belongs to your tenant, select the one you want from the drop-down list.

- * **Authoring Resource Name**: A custom name that you choose. It's used as part of the URL for your authoring and prediction endpoint queries. If you are creating a new authoring resource, note that the resource name can only include alphanumeric characters, `-`, and canΓÇÖt start or end with `-`. If any other symbols are included in the name,

- resource creation and migration will fail.

- * **Azure Resource Group Name**: A custom resource group name that you choose from the drop-down list. Resource groups allow you to group Azure resources for access and management. If you currently do not have a resource group in your subscription, you will not be allowed to create one in the LUIS portal. Go to [Azure portal](https://portal.azure.com/#create/Microsoft.ResourceGroup) to create one then go to LUIS to continue the sign-in process.

-6. After you have successfully migrated in all regions, select finish. You will now have access to your applications. You can continue authoring and maintaining all your applications in all regions within the portal.

-## Migration notes

-* Before migration, coauthors are known as _collaborators_ on the LUIS app level. After migration, the Azure role of _contributor_ is used for the same functionality on the Azure resource level.

-* If you have signed-in to more than one [LUIS regional portal](./luis-reference-regions.md#luis-authoring-regions), you will be asked to migrate in multiple regions at once.

-* Applications will automatically migrate with you if you're the owner of the application. Applications will not migrate with you if you're a collaborator on the application. However, collaborators will be prompted to export the apps they need.

-* Application owners can't choose a subset of apps to migrate and there is no way for an owner to know if collaborators have migrated.

-* Migration does not automatically move or add collaborators to the Azure authoring resource. The app owner is the one who needs to complete this step after migration. This step requires [permissions to the Azure authoring resource](./luis-how-to-collaborate.md).

-* After contributors are assigned to the Azure resource, they will need to migrate before they can access applications. Otherwise, they won't have access to author the applications.

-## Using apps after migration

-After the migration process, all your LUIS apps for which you're the owner will now be assigned to a single LUIS authoring resource.

-The **My Apps** list shows the apps migrated to the new authoring resource. Before you access your apps, select **Choose a different authoring resource** to select the subscription and authoring resource to view the apps that can be authored.

-> [!div class="mx-imgBorder"]

-> 

-If you plan to edit your apps programmatically, you'll need the authoring key values. These values are displayed by clicking **Manage** at the top of the screen in the LUIS portal, and then selecting **Azure Resources**. They're also available in the Azure portal on the resource's **Key and endpoints** page. You can also create more authoring resources and assign them from the same page.

-## Adding contributors to authoring resources

-Learn [how to add contributors](luis-how-to-collaborate.md) on your authoring resource. Contributors will have access to all applications under that resource.

-You can add contributors to the authoring resource from the Azure portal, on the **Access Control (IAM)** page for that resource. For more information, see [Add contributors to your app](luis-how-to-collaborate.md).

-> [!Note]

-> If the owner of the LUIS app migrated and added the collaborator as a contributor on the Azure resource, the collaborator will still have no access to the app unless they also migrate.

-## Troubleshooting the migration process

-If you cannot find your Azure subscription in the drop-down list:

-* Ensure that you have a valid Azure subscription that's authorized to create Azure AI services resources. Go to the [Azure portal](https://portal.azure.com) and check the status of the subscription. If you don't have one, [create a free Azure account](https://azure.microsoft.com/free/cognitive-services/).

-* Ensure that you're in the proper tenant associated with your valid subscription. You can switch tenants selecting the avatar in the top right of the screen, containing your initials.

- > [!div class="mx-imgBorder"]

- > 

-If you have an existing authoring resource but can't find it when you select the **Use Existing Authoring Resource** option:

-* Your resource was probably created in a different region than the one your are trying to migrate in.

-* Create a new resource from the LUIS portal instead.

-If you select the **Create New Authoring Resource** option and migration fails with the error message "Failed retrieving user's Azure information, retry again later":

-* Your subscription might have 10 or more authoring resources per region, per subscription. If that's the case, you won't be able to create a new authoring resource.

-* Migrate by selecting the **Use Existing Authoring Resource** option and selecting one of the existing resources under your subscription.

-## Create new support request

-If you are having any issues with the migration that are not addressed in the troubleshooting section, please [create a support topic](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest) and provide the information below with the following fields:

- * **Issue Type**: Technical

- * **Subscription**: Choose a subscription from the dropdown list

- * **Service**: Search and select "Azure AI services"

- * **Resource**: Choose a LUIS resource if there is an existing one. If not, select General question.

-## Next steps

-* Review [concepts about authoring and runtime keys](luis-how-to-azure-subscription.md)

-* Review how to [assign keys](luis-how-to-azure-subscription.md) and [add contributors](luis-how-to-collaborate.md)

- * [LUIS Endpoint APIs v2.0](./luis-migration-api-v1-to-v2.md)

-* All LUIS users are required to [migrate to a LUIS authoring resource](luis-migration-authoring.md)

-* Azure authoring resource - [migrate now](luis-migration-authoring.md).

-ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

-var createResponse = client.CreateOrUpdateTextBlocklist(blocklistName, RequestContent.Create(data));

-from azure.ai.contentsafety import ContentSafetyClient

-# Create a Content Safety client

-client = ContentSafetyClient(endpoint, AzureKeyCredential(key))

- blocklist = client.create_or_update_text_blocklist(blocklist_name=blocklist_name, resource={"description": blocklist_description})

-ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

-string blockItemText1 = "<block_item_text_1>";

-string blockItemText2 = "<block_item_text_2>";

-var blockItems = new TextBlockItemInfo[] { new TextBlockItemInfo(blockItemText1), new TextBlockItemInfo(blockItemText2) };

-var addedBlockItems = client.AddBlockItems(blocklistName, new AddBlockItemsOptions(blockItems));

-if (addedBlockItems != null && addedBlockItems.Value != null)

- Console.WriteLine("\nBlockItems added:");

- foreach (var addedBlockItem in addedBlockItems.Value.Value)

- Console.WriteLine("BlockItemId: {0}, Text: {1}, Description: {2}", addedBlockItem.BlockItemId, addedBlockItem.Text, addedBlockItem.Description);

-from azure.ai.contentsafety import ContentSafetyClient

- TextBlockItemInfo,

- AddBlockItemsOptions

-# Create an Content Safety client

-client = ContentSafetyClient(endpoint, AzureKeyCredential(key))

-block_item_text_1 = "<block_item_text_1>"

-block_item_text_2 = "<block_item_text_2>"

-block_items = [TextBlockItemInfo(text=block_item_text_1), TextBlockItemInfo(text=block_item_text_2)]

- result = client.add_block_items(

- blocklist_name=blocklist_name,

- body=AddBlockItemsOptions(block_items=block_items),

- )

- if result and result.value:

- print("\nBlock items added: ")

- for block_item in result.value:

- print(f"BlockItemId: {block_item.block_item_id}, Text: {block_item.text}, Description: {block_item.description}")

- print("\nAdd block items failed: ")

-1. Replace the values of the `block_item_text_1` and `block_item_text_2` fields with the items you'd like to add to your blocklist. The maximum length of a blockItem is 128 characters.

-request.BreakByBlocklists = true;

-if (response.Value.BlocklistsMatchResults != null)

- foreach (var matchResult in response.Value.BlocklistsMatchResults)

- Console.WriteLine("Blockitem was hit in text: Offset: {0}, Length: {1}", matchResult.Offset, matchResult.Length);

- Console.WriteLine("BlocklistName: {0}, BlockItemId: {1}, BlockItemText: {2}, ", matchResult.BlocklistName, matchResult.BlockItemId, matchResult.BlockItemText);

-# Create an Content Safety client

- # After you edit your blocklist, it usually takes effect in 5 minutes, please wait some time before analyzing with blocklist after editing.

- analysis_result = client.analyze_text(AnalyzeTextOptions(text=input_text, blocklist_names=[blocklist_name], break_by_blocklists=False))

- if analysis_result and analysis_result.blocklists_match_results:

- for match_result in analysis_result.blocklists_match_results:

- print(f"Block item was hit in text, Offset={match_result.offset}, Length={match_result.length}.")

- print(f"BlocklistName: {match_result.blocklist_name}, BlockItemId: {match_result.block_item_id}, BlockItemText: {match_result.block_item_text}")

-ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

-var allBlockitems = client.GetTextBlocklistItems(blocklistName);

-Console.WriteLine("\nList BlockItems:");

-foreach (var blocklistItem in allBlockitems)

- Console.WriteLine("BlockItemId: {0}, Text: {1}, Description: {2}", blocklistItem.BlockItemId, blocklistItem.Text, blocklistItem.Description);

-from azure.ai.contentsafety import ContentSafetyClient

-# Create an Content Safety client

-client = ContentSafetyClient(endpoint, AzureKeyCredential(key))

- block_items = client.list_text_blocklist_items(blocklist_name=blocklist_name)

- if block_items:

- print("\nList block items: ")

- for block_item in block_items:

- print(f"BlockItemId: {block_item.block_item_id}, Text: {block_item.text}, Description: {block_item.description}")

- print("\nList block items failed: ")

-ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

-var blocklists = client.GetTextBlocklists();

- Console.WriteLine("BlocklistName: {0}, Description: {1}", blocklist.BlocklistName, blocklist.Description);

-from azure.ai.contentsafety import ContentSafetyClient

-# Create an Content Safety client

-client = ContentSafetyClient(endpoint, AzureKeyCredential(key))

-ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

-var getBlocklist = client.GetTextBlocklist(blocklistName);

- Console.WriteLine("BlocklistName: {0}, Description: {1}", getBlocklist.Value.BlocklistName, getBlocklist.Value.Description);

-from azure.ai.contentsafety import ContentSafetyClient

-# Create an Content Safety client

-client = ContentSafetyClient(endpoint, AzureKeyCredential(key))

-ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

-var getBlockItemId = "<your_block_item_id>";

-var getBlockItem = client.GetTextBlocklistItem(blocklistName, getBlockItemId);

-Console.WriteLine("\nGet BlockItem:");

-Console.WriteLine("BlockItemId: {0}, Text: {1}, Description: {2}", getBlockItem.Value.BlockItemId, getBlockItem.Value.Text, getBlockItem.Value.Description);

-from azure.ai.contentsafety import ContentSafetyClient

-from azure.ai.contentsafety.models import TextBlockItemInfo, AddBlockItemsOptions

-# Create an Content Safety client

-client = ContentSafetyClient(endpoint, AzureKeyCredential(key))

-block_item_text_1 = "<block_item_text>"

- # Add a blockItem

- add_result = client.add_block_items(

- body=AddBlockItemsOptions(block_items=[TextBlockItemInfo(text=block_item_text_1)]),

- if not add_result or not add_result.value or len(add_result.value) <= 0:

- raise RuntimeError("BlockItem not created.")

- block_item_id = add_result.value[0].block_item_id

- # Get this blockItem by blockItemId

- block_item = client.get_text_blocklist_item(

- blocklist_name=blocklist_name,

- block_item_id= block_item_id

- print("\nGet blockitem: ")

- print(f"BlockItemId: {block_item.block_item_id}, Text: {block_item.text}, Description: {block_item.description}")

- print("\nGet block item failed: ")

-ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

-var removeBlockItemId = "<your_block_item_id>";

-var removeBlockItemIds = new List<string> { removeBlockItemId };

-var removeResult = client.RemoveBlockItems(blocklistName, new RemoveBlockItemsOptions(removeBlockItemIds));

- Console.WriteLine("\nBlockItem removed: {0}.", removeBlockItemId);

-from azure.ai.contentsafety import ContentSafetyClient

- TextBlockItemInfo,

- AddBlockItemsOptions,

- RemoveBlockItemsOptions

-# Create an Content Safety client

-client = ContentSafetyClient(endpoint, AzureKeyCredential(key))

-block_item_text_1 = "<block_item_text>"

- # Add a blockItem

- add_result = client.add_block_items(

- body=AddBlockItemsOptions(block_items=[TextBlockItemInfo(text=block_item_text_1)]),

- if not add_result or not add_result.value or len(add_result.value) <= 0:

- raise RuntimeError("BlockItem not created.")

- block_item_id = add_result.value[0].block_item_id

- # Remove this blockItem by blockItemId

- client.remove_block_items(

- blocklist_name=blocklist_name,

- body=RemoveBlockItemsOptions(block_item_ids=[block_item_id])

- print(f"\nRemoved blockItem: {add_result.value[0].block_item_id}")

- print("\nRemove block item failed: ")

-ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

-var deleteResult = client.DeleteTextBlocklist(blocklistName);

-from azure.ai.contentsafety import ContentSafetyClient

-# Create an Content Safety client

-client = ContentSafetyClient(endpoint, AzureKeyCredential(key))

-2. Data is read from the input container, contents are opened and chunked into small chunks with a maximum of 1024 tokens each. If vector search is enabled, the service will calculate the vector representing the embeddings on each chunk. The output of this step (called the "preprocessed" or "chunked" data) is stored in the chunks container created in the previous step.

-*Could not execute skill because Web API skill response is invalid*

-*This request is not authorized to perform this operation*

-| *hybrid (vector + keyword) + semantic* | A hybrid of vector search, semantic and keyword search for retrieval. | [Additional pricing](https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/) on your Azure OpenAI account from calling the embedding model, and additional pricing for [semantic search](/azure/search/semantic-search-overview#availability-and-pricing) usage. |Leverages vector embeddings, language understanding and flexible query parsing to create rich search experiences and generative AI apps that can handle complex and diverse information retrieval scenarios. |

-| **Chunk size** | Azure OpenAI on your data processes your documents by splitting them into chunks before indexing them in Azure Search. The chunk size is the maximum number of tokens for any chunk in the search index. The default chunk size is 1024 tokens. However, given the uniqueness of your data, you may find a different chunk size (such as 256, 512, or 1536 tokens for example) more effective. Adjusting the chunk size can enhance the performance of the chat bot. While finding the optimal chunk size requires some trial and error, start by considering the nature of your dataset. A smaller chunk size is generally better for datasets with direct facts and less context, while a larger chunk size might be beneficial for more contextual information, though it can affect retrieval performance. This is the `chunkSize` parameter in the API.|

-You can modify the following additional settings in the **Data parameters** section in Azure OpenAI Studio and [the API](../reference.md#completions-extensions). You do not need to re-ingest your your data when you update these parameters.

-from openai import AzureOpenAI

-

-client = AzureOpenAI(

- api_key=os.getenv("AZURE_OPENAI_KEY"),

- api_version="2024-02-15-preview",

- azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT")

- )

-> [Azure Government: Translator text reference](../../azure-government/documentation-government-cognitiveservices.md#translator)

-description: Understand the advanced configuration options that are supported with the application routing add-on for Azure Kubernetes Service.

-# Set up a custom domain name and SSL certificate with the application routing add-on

-description: Understand the advanced configuration options that are supported with the application routing add-on with the NGINX ingress controller for Azure Kubernetes Service.

-# Advanced NGINX ingress controller and ingress configurations with the application routing add-on

-Together with [Pod Sandboxing][pod-sandboxing-overview], you can run sensitive workloads isolated in Azure to protect your data and workloads. Confidential Containers helps significantly reduce the risk of unauthorized access from:

-* Your AKS cluster admin

-* The AKS control plane & daemon sets

-* The cloud and host operator

-* The AKS worker node operating system

-* Another pod running on the same VM node

-* Cloud Service Providers (CSPs) and from guest applications through a separate trust model

-Confidential Containers also enable application owners to enforce their application security requirements (for example, deny access to Azure tenant admin, Kubernetes admin, etc.).

-* You can [query Azure Monitor logs](query-logs.md) to analyze update assessments, deployments, and other related management tasks. It includes pre-defined queries to help you get started.

-> You can't set up this feature for Red Hat OpenShift, or for managed Kubernetes offerings of cloud providers like Elastic Kubernetes Service or Google Kubernetes Engine where the user doesn't have access to the API server of the cluster. For Azure Kubernetes Service (AKS) clusters, this [feature is available natively](../../aks/manage-azure-rbac.md) and doesn't require the AKS cluster to be connected to Azure Arc. For AKS on Azure Stack HCI, see [Use Azure RBAC for AKS hybrid clusters (preview)](/azure/aks/hybrid/azure-rbac-aks-hybrid).

-> [!NOTE]

-> Installing Azure Arc extensions on [Azure Kubernetes Service (AKS) hybrid clusters provisioned from Azure](extensions.md#aks-hybrid-clusters-provisioned-from-azure-preview) is currently in preview, with support for the Azure Arc-enabled Open Service Mesh, Azure Key Vault Secrets Provider, Flux (GitOps) and Microsoft Defender for Cloud extensions.

-> [!NOTE]

-> Installing Azure Arc extensions on [AKS hybrid clusters provisioned from Azure](extensions.md#aks-hybrid-clusters-provisioned-from-azure-preview) is currently in preview, with support for the Azure Arc-enabled Open Service Mesh, Azure Key Vault Secrets Provider, Flux (GitOps) and Microsoft Defender for Cloud extensions.

-> Azure Monitor Container Insights is a singleton extension (only one required per cluster). You'll need to clean up any previous Helm chart installations of Azure Monitor Container Insights (without extensions) before installing the same via extensions. Follow the instructions for [deleting the Helm chart](../../azure-monitor/containers/container-insights-optout-hybrid.md) before running `az k8s-extension create`.

-> [!NOTE]

-> When working with [AKS hybrid clusters provisioned from Azure](#aks-hybrid-clusters-provisioned-from-azure-preview), you must set `--cluster-type` to use `provisionedClusters` and also add `--cluster-resource-provider microsoft.hybridcontainerservice` to the command. Installing Azure Arc extensions on AKS hybrid clusters provisioned from Azure is currently in preview.

-> [!IMPORTANT]

-> When working with [AKS hybrid clusters provisioned from Azure](#aks-hybrid-clusters-provisioned-from-azure-preview), you must add `--yes` to the delete command. Installing Azure Arc extensions on AKS hybrid clusters provisioned from Azure is currently in preview.

-## AKS hybrid clusters provisioned from Azure (preview)

-You can deploy extensions to AKS hybrid clusters provisioned from Azure. However, there are a few key differences to keep in mind in order to deploy successfully:

-* The value for the `--cluster-type` parameter must be `provisionedClusters`.

-* You must add `--cluster-resource-provider microsoft.hybridcontainerservice` to your commands.

-* When deleting an extension instance, you must add `--yes` to the command:

- ```azurecli

- az k8s-extension delete --name azuremonitor-containers --cluster-name <clusterName> --resource-group <resourceGroupName> --cluster-type provisionedClusters --cluster-resource-provider microsoft.hybridcontainerservice --yes

- ```

-In addition, you must be using the latest version of the Azure CLI `k8s-extension` module (version >= 1.3.3). Use the following commands to add or update to the latest version:

-```azurecli

-# add if you do not have this installed

-az extension add --name k8s-extension

-# update if you do have the module installed

-az extension update --name k8s-extension

-```

-> [!IMPORTANT]

-> Installing Azure Arc extensions on AKS hybrid clusters provisioned from Azure is currently in preview.

-| `--cluster-type` `-t` | Allowed values: `connectedClusters`, `managedClusters`, `provisionedClusters` | Use `connectedClusters` for Azure Arc-enabled Kubernetes clusters, `managedClusters` for AKS clusters, or `provisionedClusters` for [AKS hybrid clusters provisioned from Azure](extensions.md#aks-hybrid-clusters-provisioned-from-azure-preview) (installing extensions on these clusters is currently in preview). |

-| `--scope` `-s` | String | Permission scope for the operators. Possible values are `cluster` (full access) or `namespace` (restricted access). Default: `cluster`.

- - AKS hybrid clusters provisioned from Azure

-> [!TIP]

-> When using this extension with [AKS hybrid clusters provisioned from Azure](extensions.md#aks-hybrid-clusters-provisioned-from-azure-preview) you must set `--cluster-type` to use `provisionedClusters` and also add `--cluster-resource-provider microsoft.hybridcontainerservice` to the command. Installing Azure Arc extensions on AKS hybrid clusters provisioned from Azure is currently in preview.

-> [!TIP]

-> If the cluster is behind an outbound proxy server, ensure that you connect it to Azure Arc using the [proxy configuration](quickstart-connect-cluster.md#connect-using-an-outbound-proxy-server) option before installing the extension.

-> Only one instance of the extension can be deployed on each Azure Arc-enabled Kubernetes cluster.

-1. Provide Azure Key Vault GET permission to the created service principal by [following these steps](../../key-vault/general/assign-access-policy.md).

-1. Create a SecretProviderClass with the following YAML, filling in your values for key vault name, tenant ID, and objects to retrieve from your AKV instance:

- For use with national clouds, change `cloudName` to `AzureUSGovernmentCloud` for U.S. Government Cloud, or to `AzureChinaCloud` for Azure China Cloud.

-You can use other configuration settings as needed for your deployment. For example, to change the kubelet root directory while creating a cluster, modify the az k8s-extension create command:

- - AKS hybrid clusters provisioned from Azure

-> [!TIP]

-> When using this extension with [AKS hybrid clusters provisioned from Azure](extensions.md#aks-hybrid-clusters-provisioned-from-azure-preview) you must set `--cluster-type` to use `provisionedClusters` and also add `--cluster-resource-provider microsoft.hybridcontainerservice` to the command. Installing Azure Arc extensions on AKS hybrid clusters provisioned from Azure is currently in preview.

-> [!TIP]

-> When using this extension with [AKS hybrid clusters provisioned from Azure](extensions.md#aks-hybrid-clusters-provisioned-from-azure-preview) you must set `--cluster-type` to use `provisionedClusters` and also add `--cluster-resource-provider microsoft.hybridcontainerservice` to the command. Installing Azure Arc extensions on AKS hybrid clusters provisioned from Azure is currently in preview.

-* Read and write permissions on the `Microsoft.ContainerService/managedClusters` resource type. If using [AKS hybrid clusters provisioned from Azure (preview)](extensions.md#aks-hybrid-clusters-provisioned-from-azure-preview), read and write permissions on the `Microsoft.ContainerService/provisionedClusters` resource type).

-* Read and write permissions on the `Microsoft.ContainerService/managedClusters` resource type. If using [AKS hybrid clusters provisioned from Azure (preview)](extensions.md#aks-hybrid-clusters-provisioned-from-azure-preview), read and write permissions on the `Microsoft.ContainerService/provisionedClusters` resource type).

-* The cluster type is Azure Arc (`-t connectedClusters`), but this example also works with AKS (`-t managedClusters`) and AKS hybrid clusters provisioned from Azure (`-t provisionedClusters`).

-> These commands use `-t connectedClusters`, which is appropriate for an Azure Arc-enabled Kubernetes cluster. For an AKS cluster, use `-t managedClusters` instead. For AKS hybrid clusters provisioned from Azure, use `-t provisionedClusters`.

-> Azure Stack HCI and Hybrid AKS use different commands to create the Arc resource bridge configuration files.

-Azure Arc resource bridge is a Microsoft managed product that is part of the core Azure Arc platform. It is designed to host other Azure Arc services. In this release, the resource bridge supports VM self-servicing and management from Azure, for virtualized Windows and Linux virtual machines hosted in an on-premises environment on [Azure Stack HCI](/azure-stack/hci/manage/azure-arc-vm-management-overview), VMware ([Arc-enabled VMware vSphere](../vmware-vsphere/index.yml)), and System Center Virtual Machine Manager (SCVMM) [Arc-enabled SCVMM](../system-center-virtual-machine-manager/index.yml).

- * Azure Arc-enabled VMware

-For Arc-enabled private clouds in General Availability, the minimum supported version of Arc resource bridge is 1.0.15.

-* Learn about [provisioning and managing on-premises Windows and Linux VMs running on Azure Stack HCI clusters](/azure-stack/hci/manage/azure-arc-enabled-virtual-machines).

-Arc Appliance CLI extension, 'arcappliance', needs to be installed on the CLI. This can be done by running: `az extension add --name arcappliance`

-> [!NOTE]

-> To use Azure Kubernetes Service (AKS) on Azure Stack HCI with Arc resource bridge, AKS must be deployed prior to deploying Arc resource bridge. If Arc resource bridge has already been deployed, AKS can't be installed unless you delete Arc resource bridge first. Once AKS is deployed to Azure Stack HCI, you can deploy Arc resource bridge again.

-Arc resource bridge consists of an appliance VM that is deployed on-premises. The appliance VM has visibility into the on-premises infrastructure and can tag on-premises resources (guest management) for projection into Azure Resource Manager (ARM).

-The appliance VM is assigned an IP address from the `k8snodeippoolstart` parameter in the `createconfig` command; it may be referred to in partner products as Start Range IP, RB IP Start or VM IP 1.

-Arc resource bridge reserves an additional IP address to be used for the appliance VM upgrade.

- - Static IP address assigned; the IP address should be outside the DHCP range but still available on the network segment. This IP address can't be assigned to any other machine on the network.

- - If using DHCP, the control plane IP should be a single reserved IP that is outside of the assignable DHCP range of IPs. No other machine on the network will use or receive this IP from DHCP. DHCP is generally not recommended because a change in IP address (ex: due to an outage) impacts the resource bridge availability.

- - If using Azure Kubernetes Service on Azure Stack HCI (AKS hybrid) and installing Arc resource bridge, then the control plane IP for the resource bridge can't be used by the AKS hybrid cluster. For specific instructions on deploying Arc resource bridge with AKS on Azure Stack HCI, see [AKS on HCI (AKS hybrid) - Arc resource bridge deployment](/azure/aks/hybrid/deploy-arc-resource-bridge-windows-server).

- - If using a proxy, the proxy server has to be reachable from IPs within the IP address prefix, including the reserved appliance VM IP.

-

-

-

-> Arc resource bridge can only use a user account that does not have multifactor authentication enabled.

-If the user account is set to periodically change passwords, [the credentials must be immediately updated on the resource bridge](maintenance.md#update-credentials-in-the-appliance-vm). This user account may also be set with a lockout policy to protect the on-premises infrastructure, in case the credentials aren't updated and the resource bridge makes multiple attempts to use expired credentials to access the on-premises control center.

-Three configuration files are created when the `createconfig` command completes (or the equivalent commands used by Azure Stack HCI and AKS hybrid): `<appliance-name>-resource.yaml`, `<appliance-name>-appliance.yaml` and `<appliance-name>-infra.yaml`.

-Arc resource bridge uses a MOC login credential called [KVA token](/azure-stack/hci/manage/deploy-arc-resource-bridge-using-command-line#set-up-arc-vm-management) (kvatoken.tok) to interact with Azure Stack HCI. The KVA token is generated with the appliance configuration files when deploying Arc resource bridge. This token is also used when collecting logs for Arc resource bridge, so it should be saved in a secure location with the rest of the appliance configuration files. This file is saved in the directory provided during configuration file creation or the default CLI directory.

-## AKS on Azure Stack HCI with Arc resource bridge

-

-When you deploy Arc resource bridge with AKS on Azure Stack HCI (AKS-HCI), the following configurations must be applied:

-For instructions to deploy Arc resource bridge on AKS Hybrid, see [How to install Azure Arc Resource Bridge on Windows Server - AKS hybrid](/azure/aks/hybrid/deploy-arc-resource-bridge-windows-server).

-To manually upgrade your Arc resource bridge, make sure you're using the latest `az arcappliance` CLI extension by running the extension upgrade command from the management machine:

-To upgrade a resource bridge on System Center Virtual Machine Manager (SCVMM), run: `az arcappliance upgrade scvmm --config-file c:\contosoARB01-appliance.yaml`

-`azcmagent config set extensions.blocklist " microsoft.cplat.core/runcommandhandlerwindows"`

-`azcmagent config set extensions.blocklist " microsoft.cplat.core/runcommandhandlerlinux"`

-When you enable guest management on Arc-enabled VMware vSphere virtual machines, the Arc connected machine agent is installed on them.

- Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

- This action only removes these resource representations from Azure. The resources continue to remain in your vCenter.

-This article provides information on how to troubleshoot and resolve the issues that can occur while you enable guest management on Arc-enabled VMware vSphere virtual machines.

-Applies to:

- `policy_module(vmtools_unconfined_rpm_script_kcs5347781, 1.0)

-description: In this quickstart, you'll create a new Java app that uses Azure Cache for Redis

-## Setting up the working environment

-Depending on your operating system, add environment variables for your **Host name** and **Primary access key** that you noted above. Open a command prompt, or a terminal window, and set up the following values:

-```dos

-set REDISCACHEHOSTNAME=<YOUR_HOST_NAME>.redis.cache.windows.net

-set REDISCACHEKEY=<YOUR_PRIMARY_ACCESS_KEY>

-```

-export REDISCACHEHOSTNAME=<YOUR_HOST_NAME>.redis.cache.windows.net

-export REDISCACHEKEY=<YOUR_PRIMARY_ACCESS_KEY>

-## Understanding the Java sample

-1. Open the *pom.xml* file. In the file, you'll see a dependency for [Jedis](https://github.com/xetorthio/jedis):

-1. First, if you haven't already, you must set the environment variables as noted above.

- ```dos

- set REDISCACHEHOSTNAME=<YOUR_HOST_NAME>.redis.cache.windows.net

- set REDISCACHEKEY=<YOUR_PRIMARY_ACCESS_KEY>

- ```

- ```dos

- mvn compile

- mvn exec:java -D exec.mainClass=example.demo.App

- ```

-In the example below, you see the `Message` key previously had a cached value. The value was updated to a new value using `jedis.set`. The app also executed the `PING` and `CLIENT LIST` commands.

-> Deleting a resource group is irreversible and that the resource group and all the resources in it are permanently deleted. Make sure that you do not accidentally delete the wrong resource group or resources. If you created the resources for hosting this sample inside an existing resource group that contains resources you want to keep, you can delete each resource individually on the left instead of deleting the resource group.

- :::image type="content" source="./media/cache-java-get-started/azure-cache-redis-delete-resource-group.png" alt-text="Azure resource group deleted":::

-1. You'll be asked to confirm the deletion of the resource group. Type the name of your resource group to confirm, and select **Delete**.

-## Part 1: Provision Azure AI services accounts

-2. In the PowerShell command below, replace `rg-name`, `name-of-your-api`, and `location-of-resourcegroup` with your relevant account information.

- - TextAnalytics

- New-AzCognitiveServicesAccount -ResourceGroupName 'rg-name' -name 'name-of-your-api' -Type <type of API> -SkuName S0 -Location 'location-of-resourcegroup'

-### Retrieve Account Key

-## Part 2: API Quickstarts

-The Quickstarts below will help you to get started with the APIs available through Azure AI services in Azure Government.

-## Computer Vision

-### Prerequisites

- - [Visual Studio 2019](https://www.visualstudio.com/vs/), including the **Azure development** workload.

-

- >[!NOTE]

- > After you install or upgrade to Visual Studio 2019, you might also need to manually update the Visual Studio 2019 tools for Azure Functions. You can update the tools from the **Tools** menu under **Extensions and Updates...** > **Updates** > **Visual Studio Marketplace** > **Azure Functions and Web Jobs Tools** > **Update**.

- >

- >

-

-### Variations

-### Analyze an image with Computer Vision using C#

-With the [Analyze Image method](https://westcentralus.dev.cognitive.microsoft.com/docs/services/56f91f2d778daf23d8ec6739/operations/56f91f2e778daf14a499e1fa), you can extract visual features based on image content. You can upload an image or specify an image URL and choose which features to return, including:

-### Analyze an image C# example request

-1. Create a new Console solution in Visual Studio.

-2. Replace Program.cs with the following code.

-3. Change the `uriBase` to the "Endpoint" attribute that you saved from Part 1, and keep the "/analyze" after the endpoint.

-4. Replace the `subscriptionKey` value with your valid subscription key.

-5. Run the program.

-```csharp

-using System;

-using System.IO;

-using System.Net.Http;

-using System.Net.Http.Headers;

-using System.Text;

-namespace VisionApp1

-{

- static class Program

- {

- // **********************************************

- // *** Update or verify the following values. ***

- // **********************************************

- // Replace the subscriptionKey string value with your valid subscription key.

- const string subscriptionKey = "<subscription key>";

- //Copy and paste the "Endpoint" attribute that you saved before into the uriBase string "/analyze" at the end.

- //Example: https://virginia.api.cognitive.microsoft.us/vision/v1.0/analyze

-

- const string uriBase = "<endpoint>/analyze";

-

- static void Main()

- {

- // Get the path and filename to process from the user.

- Console.WriteLine("Analyze an image:");

- Console.Write("Enter the path to an image you wish to analyze: ");

- string imageFilePath = Console.ReadLine();

- // Execute the REST API call.

- MakeAnalysisRequest(imageFilePath);

- Console.WriteLine("\nPlease wait a moment for the results to appear. Then, press Enter to exit...\n");

- Console.ReadLine();

- }

- /// <summary>

- /// Gets the analysis of the specified image file by using the Computer Vision REST API.

- /// </summary>

- /// <param name="imageFilePath">The image file.</param>

- static async void MakeAnalysisRequest(string imageFilePath)

- {

- HttpClient client = new HttpClient();

- // Request headers.

- client.DefaultRequestHeaders.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

- // Request parameters. A third optional parameter is "details".

- string requestParameters = "visualFeatures=Categories,Description,Color&language=en";

- // Assemble the URI for the REST API Call.

- string uri = uriBase + "?" + requestParameters;

- HttpResponseMessage response;

- // Request body. Posts a locally stored JPEG image.

- byte[] byteData = GetImageAsByteArray(imageFilePath);

- using (ByteArrayContent content = new ByteArrayContent(byteData))

- {

- // This example uses content type "application/octet-stream".

- // The other content types you can use are "application/json" and "multipart/form-data".

- content.Headers.ContentType = new MediaTypeHeaderValue("application/octet-stream");

- // Execute the REST API call.

- response = await client.PostAsync(uri, content);

- // Get the JSON response.

- string contentString = await response.Content.ReadAsStringAsync();

- // Display the JSON response.

- Console.WriteLine("\nResponse:\n");

- Console.WriteLine(JsonPrettyPrint(contentString));

- }

- }

- /// <summary>

- /// Returns the contents of the specified file as a byte array.

- /// </summary>

- /// <param name="imageFilePath">The image file to read.</param>

- /// <returns>The byte array of the image data.</returns>

- static byte[] GetImageAsByteArray(string imageFilePath)

- {

- FileStream fileStream = new FileStream(imageFilePath, FileMode.Open, FileAccess.Read);

- BinaryReader binaryReader = new BinaryReader(fileStream);

- return binaryReader.ReadBytes((int)fileStream.Length);

- }

- /// <summary>

- /// Formats the given JSON string by adding line breaks and indents.

- /// </summary>

- /// <param name="json">The raw JSON string to format.</param>

- /// <returns>The formatted JSON string.</returns>

- static string JsonPrettyPrint(string json)

- {

- if (string.IsNullOrEmpty(json))

- return string.Empty;

- json = json.Replace(Environment.NewLine, "").Replace("\t", "");

- StringBuilder sb = new StringBuilder();

- bool quote = false;

- bool ignore = false;

- int offset = 0;

- int indentLength = 3;

- foreach (char ch in json)

- {

- switch (ch)

- {

- case '"':

- if (!ignore) quote = !quote;

- break;

- case '\'':

- if (quote) ignore = !ignore;

- break;

- }

- if (quote)

- sb.Append(ch);

- else

- {

- switch (ch)

- {

- case '{':

- case '[':

- sb.Append(ch);

- sb.Append(Environment.NewLine);

- sb.Append(new string(' ', ++offset * indentLength));

- break;

- case '}':

- case ']':

- sb.Append(Environment.NewLine);

- sb.Append(new string(' ', --offset * indentLength));

- sb.Append(ch);

- break;

- case ',':

- sb.Append(ch);

- sb.Append(Environment.NewLine);

- sb.Append(new string(' ', offset * indentLength));

- break;

- case ':':

- sb.Append(ch);

- sb.Append(' ');

- break;

- default:

- if (ch != ' ') sb.Append(ch);

- break;

- }

- }

- }

- return sb.ToString().Trim();

- }

- }

- }

-```

-### Analyze an Image response

-A successful response is returned in JSON. Shown below is an example of a successful response:

-```json

-{

- "categories": [

- {

- "name": "people_baby",

- "score": 0.52734375

- },

- {

- "name": "people_young",

- "score": 0.4375

- }

- ],

- "description": {

- "tags": [

- "person",

- "indoor",

- "clothing",

- "woman",

- "white",

- "table",

- "food",

- "girl",

- "smiling",

- "posing",

- "holding",

- "black",

- "sitting",

- "young",

- "plate",

- "hair",

- "wearing",

- "cake",

- "large",

- "shirt",

- "dress",

- "eating",

- "standing",

- "blue"

- ],

- "captions": [

- {

- "text": "a woman posing for a picture",

- "confidence": 0.460196158842535

- }

- ]

- },

- "requestId": "7c20cc50-f5eb-453b-abb5-98378917431c",

- "metadata": {

- "width": 721,

- "height": 960,

- "format": "Jpeg"

- },

- "color": {

- "dominantColorForeground": "Black",

- "dominantColorBackground": "White",

- "dominantColors": [

- "White"

- ],

- "accentColor": "7C4F57",

- "isBWImg": false

- }

-}

-```

-For more information, see [public documentation](../ai-services/computer-vision/index.yml) and [public API documentation](https://westus.dev.cognitive.microsoft.com/docs/services/56f91f2d778daf23d8ec6739/operations/56f91f2e778daf14a499e1fa) for Computer Vision.

-## Face API

-### Prerequisites

- - [Visual Studio 2019](https://www.visualstudio.com/vs/), including the **Azure development** workload.

-

- >[!NOTE]

- > After you install or upgrade to Visual Studio 2019, you might also need to manually update the Visual Studio 2019 tools for Azure Functions. You can update the tools from the **Tools** menu under **Extensions and Updates...** > **Updates** > **Visual Studio Marketplace** > **Azure Functions and Web Jobs Tools** > **Update**.

- >

- >

-

-### Variations

-### Detect faces in images with Face API using C#

-Use the [Face - Detect method](https://westcentralus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) to detect faces in an image and return face attributes including:

-### Face detect C# example request

-The sample is written in C# using the Face API client library.

-1. Create a new Console solution in Visual Studio.

-2. Replace Program.cs with the following code.

-3. Replace the `subscriptionKey` value with the key value that you retrieved above.

-4. Change the `uriBase` value to the "Endpoint" attribute you retrieved above.

-5. Run the program.

-6. Enter the path to an image on your hard drive.

-```csharp

-using System;

-using System.IO;

-using System.Net.Http;

-using System.Net.Http.Headers;

-using System.Text;

-namespace FaceApp1

-{

- static class Program

- {

- // **********************************************

- // *** Update or verify the following values. ***

- // **********************************************

-

- // Replace the subscriptionKey string value with your valid subscription key.

- const string subscriptionKey = "<subscription key>";

- //Copy and paste the "Endpoint" attribute that you saved before into the uriBase string "/detect" at the end.

- //Example: https://virginia.api.cognitive.microsoft.us/face/v1.0/detect

- const string uriBase ="<endpoint>/detect";

- static void Main()

- {

- // Get the path and filename to process from the user.

- Console.WriteLine("Detect faces:");

- Console.Write("Enter the path to an image with faces that you wish to analzye: ");

- string imageFilePath = Console.ReadLine();

- // Execute the REST API call.

- MakeAnalysisRequest(imageFilePath);

- Console.WriteLine("\nPlease wait a moment for the results to appear. Then, press Enter to exit...\n");

- Console.ReadLine();

- }

- /// <summary>

- /// Gets the analysis of the specified image file by using the Computer Vision REST API.

- /// </summary>

- /// <param name="imageFilePath">The image file.</param>

- static async void MakeAnalysisRequest(string imageFilePath)

- {

- HttpClient client = new HttpClient();

- // Request headers.

- client.DefaultRequestHeaders.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

- // Request parameters. A third optional parameter is "details".

- string requestParameters = "returnfaceId=true&returnfaceLandmarks=false&returnfaceAttributes=age,gender,headPose,smile,facialHair,glasses,emotion";

- // Assemble the URI for the REST API Call.

- string uri = uriBase + "?" + requestParameters;

- HttpResponseMessage response;

- // Request body. Posts a locally stored JPEG image.

- byte[] byteData = GetImageAsByteArray(imageFilePath);

- using (ByteArrayContent content = new ByteArrayContent(byteData))

- {

- // This example uses content type "application/octet-stream".

- // The other content types you can use are "application/json" and "multipart/form-data".

- content.Headers.ContentType = new MediaTypeHeaderValue("application/octet-stream");

- // Execute the REST API call.

- response = await client.PostAsync(uri, content);

- // Get the JSON response.

- string contentString = await response.Content.ReadAsStringAsync();

- // Display the JSON response.

- Console.WriteLine("\nResponse:\n");

- Console.WriteLine(JsonPrettyPrint(contentString));

- }

- }

- /// <summary>

- /// Returns the contents of the specified file as a byte array.

- /// </summary>

- /// <param name="imageFilePath">The image file to read.</param>

- /// <returns>The byte array of the image data.</returns>

- static byte[] GetImageAsByteArray(string imageFilePath)

- {

- FileStream fileStream = new FileStream(imageFilePath, FileMode.Open, FileAccess.Read);

- BinaryReader binaryReader = new BinaryReader(fileStream);

- return binaryReader.ReadBytes((int)fileStream.Length);

- }

- /// <summary>

- /// Formats the given JSON string by adding line breaks and indents.

- /// </summary>

- /// <param name="json">The raw JSON string to format.</param>

- /// <returns>The formatted JSON string.</returns>

- static string JsonPrettyPrint(string json)

- {

- if (string.IsNullOrEmpty(json))

- return string.Empty;

- json = json.Replace(Environment.NewLine, "").Replace("\t", "");

- StringBuilder sb = new StringBuilder();

- bool quote = false;

- bool ignore = false;

- int offset = 0;

- int indentLength = 3;

- foreach (char ch in json)

- {

- switch (ch)

- {

- case '"':

- if (!ignore) quote = !quote;

- break;

- case '\'':

- if (quote) ignore = !ignore;

- break;

- }

- if (quote)

- sb.Append(ch);

- else

- {

- switch (ch)

- {

- case '{':

- case '[':

- sb.Append(ch);

- sb.Append(Environment.NewLine);

- sb.Append(new string(' ', ++offset * indentLength));

- break;

- case '}':

- case ']':

- sb.Append(Environment.NewLine);

- sb.Append(new string(' ', --offset * indentLength));

- sb.Append(ch);

- break;

- case ',':

- sb.Append(ch);

- sb.Append(Environment.NewLine);

- sb.Append(new string(' ', offset * indentLength));

- break;

- case ':':

- sb.Append(ch);

- sb.Append(' ');

- break;

- default:

- if (ch != ' ') sb.Append(ch);

- break;

- }

- }

- }

- return sb.ToString().Trim();

- }

- }

-}

-```

-### Face detect response

-A successful response is returned in JSON. Shown below is an example of a successful response:

-```json

-Response:

-[

- {

- "faceId": "0ed7f4db-1207-40d4-be2e-84694e42d682",

- "faceRectangle": {

- "top": 60,

- "left": 83,

- "width": 361,

- "height": 361

- },

- "faceAttributes": {

- "smile": 0.284,

- "headPose": {

- "pitch": 0.0,

- "roll": -12.2,

- "yaw": -16.7

- },

- "gender": "female",

- "age": 16.5,

- "facialHair": {

- "moustache": 0.0,

- "beard": 0.0,

- "sideburns": 0.0

- },

- "glasses": "NoGlasses",

- "emotion": {

- "anger": 0.003,

- "contempt": 0.001,

- "disgust": 0.001,

- "fear": 0.002,

- "happiness": 0.284,

- "neutral": 0.694,

- "sadness": 0.012,

- "surprise": 0.004

- }

- }

- }

-]

-```

-For more information, see [public documentation](../ai-services/computer-vision/overview-identity.md), and [public API documentation](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) for Face API.

-## Text Analytics

-For instructions on how to use Text Analytics, see [Quickstart: Use the Text Analytics client library and REST API](../ai-services/language-service/language-detection/overview.md?tabs=version-3-1&pivots=programming-language-csharp).

-### Variations

-## Translator

-### Prerequisites

- - [Visual Studio 2019](https://www.visualstudio.com/vs/), including the **Azure development** workload.

-

- >[!NOTE]

- > After you install or upgrade to Visual Studio 2019, you might also need to manually update the Visual Studio 2019 tools for Azure Functions. You can update the tools from the **Tools** menu under **Extensions and Updates...** > **Updates** > **Visual Studio Marketplace** > **Azure Functions and Web Jobs Tools** > **Update**.

- >

- >

-

-### Variations

- The URI for accessing the API is:

- - `https://<your-custom-domain>.cognitiveservices.azure.us/translator/text/v3.0`

- - You can find your custom domain endpoint in the overview blade on the Azure Government portal once the resource is created.

-### Text translation method

-The below example uses [Text Translation - Translate method](../ai-services/translator/reference/v3-0-translate.md) to translate a string of text from a language into another specified language. There are multiple [language codes](https://api.cognitive.microsofttranslator.com/languages?api-version=3.0&scope=translation) that can be used with Translator.

-### Text translation C# example request

-The sample is written in C#.

-1. Create a new Console solution in Visual Studio.

-2. Replace Program.cs with the corresponding code below.

-3. Replace the `endpoint` value with the URI as explained in the `Variations` section.

-4. Replace the `subscriptionKey` value with the key value that you retrieved above.

-5. Replace the `region` value with the region value where you created your translator resource.

-6. Replace the `text` value with text that you want to translate.

-7. Run the program.

-You can also test out different languages and texts by replacing the `text`, `from`, and `to` variables in Program.cs.

-```csharp

-using System;

-using System.Collections.Generic;

-using Microsoft.Rest;

-using System.Net.Http;

-using System.Threading;

-using System.Threading.Tasks;

-using System.Net;

-using System.IO;

-using Newtonsoft.Json;

-using System.Text;

-namespace TextTranslator

-{

- class Program

- {

- static string host = "PASTE ENDPOINT HERE";

- static string path = "/translate?api-version=3.0";

- // Translate to German.

- static string params_ = "&to=de";

- static string uri = host + path + params_;

- // NOTE: Replace this example key with a valid subscription key.

- static string key = "PASTE KEY HERE";

-

- // NOTE: Replace this example region with a valid region.

- static string region = "PASTE REGION HERE";

-

- static string text = "Hello world!";

- async static void Translate()

- {

- System.Object[] body = new System.Object[] { new { Text = text } };

- var requestBody = JsonConvert.SerializeObject(body);

- using (var client = new HttpClient())

- using (var request = new HttpRequestMessage())

- {

- request.Method = HttpMethod.Post;

- request.RequestUri = new Uri(uri);

- request.Content = new StringContent(requestBody, Encoding.UTF8, "application/json");

- request.Headers.Add("Ocp-Apim-Subscription-Key", key);

- request.Headers.Add("Ocp-Apim-Subscription-Region", region);

- var response = await client.SendAsync(request);

- var responseBody = await response.Content.ReadAsStringAsync();

- var result = JsonConvert.SerializeObject(JsonConvert.DeserializeObject(responseBody), Formatting.Indented);

- Console.OutputEncoding = UnicodeEncoding.UTF8;

- Console.WriteLine(result);

- }

- }

- static void Main(string[] args)

- {

- Translate();

- Console.ReadLine();

- }

- }

-}

-```

-For more information, see [public documentation](../ai-services/translator/translator-overview.md) and [public API documentation](../ai-services/translator/reference/v3-0-reference.md) for Translator.

-

-

-

-

-

-

-

-

-The Azure Linux Container Host adopts newer CNCF packages like K8s with higher cadence and doesn't delay them for annual releases. However, major compiler upgrades or deprecating language stacks like Python 2.7x may be held for major releases.

->

-> * You can enable [diagnostic settings on classic Application Insights]() before you [migrate to a workspace-based Application Insights resource](convert-classic-resource.md).All [workspace-based Application Insights resources](./create-workspace-resource.md) must use [diagnostic settings](./create-workspace-resource.md#export-telemetry).

->

->

-To continue with automated exports, you will need to migrate to [diagnostic settings](/previous-versions/azure/azure-monitor/app/continuous-export-diagnostic-setting) before migrating to workspace-based resource. The diagnostic setting will carry over in the migration to workspace-based Application Insights.

-If you are using Terraform to manage your Azure resources, it is important to use the latest version of the Terraform azurerm provider before attempting to upgrade your App Insights resource. Using an older version of the provider, such as version 3.12, may result in the deletion of the classic component before creating the replacement workspace-based Application Insights resource. This can cause the loss of previous data and require updating the configurations in your monitored apps with new connection string and instrumentation key values.

-**Error message:** "The selected workspace is configured with workspace-based access mode. Some APM features may be impacted. Select another workspace or allow resource-based access in the workspace settings. You can override this error by using CLI."

-The legacy **Continuous export** functionality isn't supported for workspace-based resources. Prior to migrating, you need to enable diagnostic settings and disable continuous export.

-1. [Enable Diagnostic Settings](/previous-versions/azure/azure-monitor/app/continuous-export-diagnostic-setting) on you classic Application Insights resource.

-| `applicationinsights-logging-log4j1_2` | Remove the dependency and remove the Application Insights appender from your logback configuration. | No longer needed since Logback is autoinstrumented in the 3.x Java agent. |

- - If you previously installed monitoring on a cluster using a script without cluster extensions, follow the instructions at [Disable Container insights on your hybrid Kubernetes cluster](container-insights-optout-hybrid.md) to delete this Helm chart.

-#### AKS hybrid cluster

-```azurecli

-### Use default Log Analytics workspace

-az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type provisionedclusters --cluster-resource-provider "microsoft.hybridcontainerservice" --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogs.useAADAuth=true

-### Use existing Log Analytics workspace

-az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type provisionedclusters --cluster-resource-provider "microsoft.hybridcontainerservice" --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogs.useAADAuth=true --configuration-settings logAnalyticsWorkspaceResourceID=<workspace-resource-id>

-```

-See the [resource requests and limits section of Helm chart](https://github.com/microsoft/Docker-Provider/blob/ci_prod/charts/azuremonitor-containers/values.yaml) for the available configuration settings.

-**Example**

-```azurecli

-az aks enable-addons -a monitoring -n <cluster-name> -g <cluster-resource-group-name> --workspace-resource-id "/subscriptions/my-subscription/resourceGroups/my-resource-group/providers/Microsoft.OperationalInsights/workspaces/my-workspace"

-```

-**Delete extension instance**

-The following command only deletes the extension instance, but doesn't delete the Log Analytics workspace. The data in the Log Analytics resource is left intact.

-```azurecli

-az k8s-extension delete --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type provisionedclusters --cluster-resource-provider "microsoft.hybridcontainerservice" --name azuremonitor-containers --yes

-```

- :::image type="content" source="media/diagnostic-settings/send-to-log-analytics-event-hubs.png" alt-text="Screenshot that shows Send to Log Analytics and Stream to an event hub." border="false":::

- 1. **Log Analytics**: Enter the subscription and workspace. If you don't have a workspace, you must [create one before you proceed](../logs/quick-create-workspace.md).

- 1. **Event Hubs**: Specify the following criteria:

- - **Subscription**: The subscription that the event hub is part of.

- - **Event hub namespace**: If you don't have one, you must [create one](../../event-hubs/event-hubs-create.md).

- - **Event hub name (optional)**: The name to send all data to. If you don't specify a name, an event hub is created for each log category. If you're sending to multiple categories, you might want to specify a name to limit the number of event hubs created. For more information, see [Azure Event Hubs quotas and limits](../../event-hubs/event-hubs-quotas.md).

- - **Event hub policy name** (also optional): A policy defines the permissions that the streaming mechanism has. For more information, see [Event Hubs features](../../event-hubs/event-hubs-features.md#publisher-policy).

- 1. **Partner integration**: You must first install partner integration into your subscription. Configuration options vary by partner. For more information, see [Azure Monitor partner integrations](../../partner-solutions/overview.md).

-The problem occurs because of a recent change in the underlying API. Metric categories other than **AllMetrics** aren't supported and never were except for a few specific Azure services. In the past, other category names were ignored when deploying a diagnostic setting. The Azure Monitor back end redirected these categories to **AllMetrics**. As of February 2021, the back end was updated to specifically confirm the metric category provided is accurate. This change has caused some deployments to fail.

-Every effort is made to ensure all log data is sent correctly to your destinations, however it's not possible guarantee 100% data transfer of logs between endpoints. Retries and other mechanisms are in place to work around these issues and attempt to ensure log data arrives at the endpoint.

-The "Audit" category is a subset of "All", but the Azure portal and REST API consider them separate settings. Selecting "All" does collect all audit logs regardless of if the "Audit" category is also selected.

-The following image shows the logs category groups on the add diagnostics settings page.

-| [Azure Monitor partner integrations](../../partner-solutions/overview.md)| Specialized integrations can be made between Azure Monitor and other non-Microsoft monitoring platforms. Integration is useful when you're already using one of the partners. |

-After you set up a diagnostic setting, data should start flowing to your selected destination(s) within 90 minutes. When sending logs to a Log Analytics workspace, the table will be created automatically if it doesn't already exist. The table is only created when the first log records are received. If you get no information within 24 hours, then you might be experiencing one of the following issues:

-| Storage account | Don't use an existing storage account that has other, non-monitoring data stored in it. Spliting the types of data up allow you better control access to the data. If you're archiving the activity log and resource logs together, you might choose to use the same storage account to keep all monitoring data in a central location.<br><br>To prevent modification of the data, send it to immutable storage. Set the immutable policy for the storage account as described in [Set and manage immutability policies for Azure Blob Storage](../../storage/blobs/immutable-policy-configure-version-scope.md). You must follow all steps in this linked article including enabling protected append blobs writes.<br><br>The storage account needs to be in the same region as the resource being monitored if the resource is regional.<br><br> Diagnostic settings can't access storage accounts when virtual networks are enabled. You must enable **Allow trusted Microsoft services** to bypass this firewall setting in storage accounts so that the Azure Monitor diagnostic settings service is granted access to your storage account.<br><br>[Azure DNS zone endpoints (preview)](../../storage/common/storage-account-overview.md#azure-dns-zone-endpoints-preview) and [Azure Premium LRS](../../storage/common/storage-redundancy.md#locally-redundant-storage) (locally redundant storage) storage accounts aren't supported as a log or metric destination.|

-| Partner integrations | The solutions vary by partner. Check the [Azure Monitor partner integrations documentation](../../partner-solutions/overview.md) for details.

- --source-resource-id $(az dataprotection backup-vault show -g <vaultrg> -v <VaultName> --query id -o tsv) \

-The Azure Backup service uses the credentials mentioned in the key-vault to access the database as a database user. The relevant key vault and the secret are [provided during configuration of backup](backup-azure-database-postgresql.md#configure-backup-on-azure-postgresql-databases). Grant appropriate permissions to the relevant backup or the database user to perform this operation on the database.

-# ms.devlang: csharp, python

-| destinationFilters | Delimited JSON array of packet filters that define which outbound packets to target for fault injection. Maximum of three. |

-| Description | Generates a new certificate version and thumbprint by using the Key Vault Certificate client library. Current working certificate is upgraded to this version. |

-Review the Azure portal documentation on [Supported devices](../azure-portal/azure-portal-supported-browsers-devices.md) for more information on browser support.

-* [Create a cloud service app in PHP](../cloud-services-php-create-web-role.md)

-|`participantType` | Description of the participant as a combination of its client (Azure Communication Services or Teams), and its identity, (Azure Communication Services or Microsoft 365). Possible values include: Azure Communication Services (Azure Communication Services identity and Azure Communication Services SDK), Teams (Teams identity and Teams client), Azure Communication Services as Teams external user (Azure Communication Services identity and Azure Communication Services SDK in Teams call or meeting), and Azure Communication Services as Microsoft 365 user (M365 identity and Azure Communication Services client).

-When you establish a peer-to-peer or group call, two protocols are used behind the scenes - HTTP (REST) for signaling and SRTP for media.

-Signaling between the SDKs or between SDKs and Communication Services Signaling Controllers is handled with HTTP REST (TLS). Azure Communication Services uses TLS 1.2. For Real-Time Media Traffic (RTP), the User Datagram Protocol (UDP) is preferred. If the use of UDP is prevented by your firewall, the SDK will use the Transmission Control Protocol (TCP) for media.

-SIP User-To-User (UUI) header is an industry standard to pass contextual information during a call setup process. The maximum length of a UUI header key is 64 chars. The maximum length of UUI header value is 256 chars.

-Azure Communication Services also supports up to five custom SIP headers. Custom SIP header key must start with a mandatory `X-MS-Custom-` prefix. The maximum length of a SIP header key is 64 chars, including the `X-MS-Custom-` prefix. The maximum length of SIP header value is 256 chars.

-All Azure Communications Gateway metrics support the **Region** dimension, allowing you to filter any metric by the Service Locations defined in your Azure Communications Gateway resource.

-You can also split a metric by the **Region** dimension to visualize how different segments of the metric compare with each other.

-This how-to guide describes how to build a [Consumption logic app workflow](../logic-apps/logic-apps-overview.md#resource-environment-differences) that sends the results of an Azure Monitor log query by email.

-1. In the [Azure portal](https://portal.azure.com), open your Consumption logic app and workflow in the designer.

-1. In your workflow where you want to add the Azure Monitor Logs action, follow these general steps to add an Azure Monitor Logs action](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=consumption#add-action).

-1. In the connection box, from the **Tenant** list, select your Microsoft Entra tenant, and then select **Create**.

- >

- > The account associated with the current connection is used later to send the email.

- > To use a different account, select **Change connection**.

-1. In your workflow where you want to add the Office 365 Outlook action, follow one of these steps:

- - To add an action under the last step, select **New step**.

- - To add an action between steps, move your pointer use over the connecting arrow. Select the plus sign (**+**) that appears, and then select **Add an action**.

-1. Under the **Choose an operation** search box, select **Standard**. In the search box, enter **Office 365 send email**.

-1. From the actions list, select the action named **Send an email (V2)**.

- 1. In the **Attachment Name** box, from the dynamic content list that appears, under **Run query and visualize results**, select the **Attachment Name** output.

- 1. In the **Attachment Content** box, from the dynamic content list that appears, under **Run query and visualize results**, select the **Attachment Content** output.

-### Test your workflow

- 

- 

-description: Automate workflows that trigger, pause, and resume based on events at a service endpoint by using Azure Logic Apps.

-# Create and run automated event-based workflows by using HTTP webhooks in Azure Logic Apps

-With [Azure Logic Apps](../logic-apps/logic-apps-overview.md) and the HTTP Webhook built-in connector, you can create an automated workflow that subscribes to a service endpoint, waits for specific events, and runs specific actions, rather than regularly check or *poll* the service endpoint.

-This how-to guide shows how to use the HTTP Webhook trigger and Webhook action so that your logic app workflow can receive and respond to events at a service endpoint.

-For more information, see these topics:

-* The URL for an already deployed endpoint or API that supports the webhook subscribe and unsubscribe pattern for [webhook triggers in logic apps](../logic-apps/logic-apps-create-api-app.md#webhook-triggers) or [webhook actions in logic apps](../logic-apps/logic-apps-create-api-app.md#webhook-actions) as appropriate

-* The logic app where you want to wait for specific events at the target endpoint. To start with the HTTP Webhook trigger, create a blank logic app workflow. To use the HTTP Webhook action, start your logic app with any trigger that you want. This example uses the HTTP trigger as the first step.

-This built-in trigger calls the subscribe endpoint on the target service and registers a callback URL with the target service. Your logic app then waits for the target service to send an `HTTP POST` request to the callback URL. When this event happens, the trigger fires and passes any data in the request along to the workflow.

-1. In the [Azure portal](https://portal.azure.com), pen your blank logic app workflow in the designer.

-1. In the designer's search box, enter `http webhook` as your filter. From the **Triggers** list, select the **HTTP Webhook** trigger.

- 

- This example renames the trigger to `HTTP Webhook trigger` so that the step has a more descriptive name. Also, the example later adds an HTTP Webhook action, and both names must be unique.

- In this example, the trigger includes the methods, URIs, and message bodies to use when performing the subscribe and unsubscribe operations.

- 

- | **Unsubscribe - Body** | No | An optional message body to include in the unsubscribe request <p><p>**Note**: This property doesn't support using the `listCallbackUrl()` function. However, the trigger automatically includes and sends the headers, `x-ms-client-tracking-id` and `x-ms-workflow-operation-name`, which the target service can use to uniquely identify the subscriber. |

- ||||

- 

-1. Continue building your logic app's workflow with actions that run when the trigger fires.

-1. When you're finished, done, remember to save your logic app. On the designer toolbar, select **Save**.

- Saving your logic app calls the subscribe endpoint on the target service and registers the callback URL. Your logic app then waits for the target service to send an `HTTP POST` request to the callback URL. When this event happens, the trigger fires and passes any data in the request along to the workflow. If this operation completes successfully, the trigger unsubscribes from the endpoint, and your logic app continues the remaining workflow.

-This built-in action calls the subscribe endpoint on the target service and registers a callback URL with the target service. Your logic app then pauses and waits for target service to send an `HTTP POST` request to the callback URL. When this event happens, the action passes any data in the request along to the workflow. If the operation completes successfully, the action unsubscribes from the endpoint, and your logic app continues running the remaining workflow.

-1. Sign in to the [Azure portal](https://portal.azure.com). Open your logic app in Logic App Designer.

- This example uses the HTTP Webhook trigger as the first step.

-1. Under the step where you want to add the HTTP Webhook action, select **New step**.

- To add an action between steps, move your pointer over the arrow between steps. Select the plus sign (**+**) that appears, and then select **Add an action**.

-1. In the designer's search box, enter `http webhook` as your filter. From the **Actions** list, select the **HTTP Webhook** action.

- 

- This example renames the action to "HTTP Webhook action" so that the step has a more descriptive name.

-1. Provide the values for the HTTP Webhook action parameters, which are similar to the [HTTP Webhook trigger parameters](../logic-apps/logic-apps-workflow-actions-triggers.md#http-webhook-trigger), that you want to use for the subscribe and unsubscribe calls.

- In this example, the action includes the methods, URIs, and message bodies to use when performing the subscribe and unsubscribe operations.

- 

- | **Unsubscribe - Body** | No | An optional message body to include in the unsubscribe request <p><p>**Note**: This property doesn't support using the `listCallbackUrl()` function. However, the action automatically includes and sends the headers, `x-ms-client-tracking-id` and `x-ms-workflow-operation-name`, which the target service can use to uniquely identify the subscriber. |

- ||||

- 

-1. When you're finished, remember to save your logic app. On the designer toolbar, select **Save**.

- Now, when this action runs, your logic app calls the subscribe endpoint on the target service and registers the callback URL. The logic app then pauses the workflow and waits for the target service to send an `HTTP POST` request to the callback URL. When this event happens, the action passes any data in the request along to the workflow. If the operation completes successfully, the action unsubscribes from the endpoint, and your logic app continues running the remaining workflow.

-||||

-|||

-## Connector reference

-For more information about trigger and action parameters, which are similar to each other, see [HTTP Webhook parameters](../logic-apps/logic-apps-workflow-actions-triggers.md#http-webhook-trigger).

-description: Learn how to enable a soft delete policy in your Azure Container Registry for recovering accidentally deleted artifacts for a set retention period.

-# Enable soft delete policy in Azure Container Registry (Preview)

-Azure Container Registry (ACR) allows you to enable the *soft delete policy* to recover any accidentally deleted artifacts for a set retention period.

-This feature is available in all the service tiers (also known as SKUs). For information about registry service tiers, see [Azure Container Registry service tiers](container-registry-skus.md).

-> [!NOTE]

->The soft deleted artifacts are billed as per active sku pricing for storage.

-The article gives you an overview of the soft delete policy and walks you through the step by step process to enable the soft delete policy using Azure CLI and Azure portal.

-You can use the Azure Cloud Shell or a local installation of the Azure CLI to run the command examples in this article. If you'd like to use it locally, version 2.0.74 or later is required. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).

-## Prerequisites

-* The user will require following permissions (at registry level) to perform soft delete operations:

- | Permission | Description |

- |||

- | Microsoft.ContainerRegistry/registries/deleted/read | List soft-deleted artifacts |

- | Microsoft.ContainerRegistry/registries/deleted/restore/action | Restore soft-deleted artifact |

-## About soft delete policy

-The soft delete policy can be enabled/disabled at your convenience.

-Once you enable the soft delete policy, ACR manages the deleted artifacts as the soft deleted artifacts with a set retention period. Thereby you have ability to list, filter, and restore the soft deleted artifacts. Once the retention period is complete, all the soft deleted artifacts are auto-purged.

-## Retention period

-The default retention period is seven days. It's possible to set the retention period value between one to 90 days. The user can set, update and change the retention policy value. The soft deleted artifacts will expire once the retention period is complete.

-## Auto-purge

-The auto-purge runs every 24 hours. The auto-purge always considers the current value of `retention days` before permanently deleting the soft deleted artifacts.

-For example, after five days of soft deleting the artifact, if the user changes the value of retention days from seven to 14 days, the artifact will only expire after 14 days from the initial soft delete.

-## Known issues

->* Enabling the soft delete policy with Availability Zones through ARM template leaves the registry stuck in the `creation` state. If you see this error, please delete and recreate the registry disabling Geo-replication on the registry.

->* Accessing the manage deleted artifacts blade after disabling the soft delete policy will throw an error message with 405 status.

->* The customers with restrictions on permissions to restore, will see an issue as File not found.

-### List the soft-delete artifacts- CLI

-### Restore the soft delete artifacts - CLI

-Force restore will overwrite the existing tag with the same name in the repository. If the soft delete policy is enabled during force restore. The overwritten tag will be soft deleted. You can force restore with specific arguments `--force, -f`.

->* Restoring a [manifest list](push-multi-architecture-images.md#manifest-list) won't recursively restore any underlying soft deleted manifests.

->* If you're restoring soft deleted [ORAS artifacts](container-registry-oras-artifacts.md), then restoring a subject doesn't recursively restore the referrer chain. Also, the subject has to be restored first, only then a referrer manifest is allowed to restore. Otherwise it throws an error.

-5. Select the number of days between `0` and `90` days to retain the soft deleted artifacts.

-4. Click on the **Manage deleted artifacts** to see all the soft deleted artifacts.

-5. Filter the deleted artifact you have to restore

-6. Select the artifact, and Click on the **Restore** in the right column.

-9. Click on **Restore**.

-4. In the **Repositories** tab, Click on **Manage Deleted Repositories**.

-7. Select the artifact, and Click on the **Restore** in the right column.

-9. Select the tag to restore, here you have an option to choose, and recover any additional tags.

-10. Click on **Restore**.

->* Importing a soft deleted image at both source and target resources is blocked.

->* Pushing an image to the soft deleted repository will restore the soft deleted repository.

->* Pushing an image that shares a same manifest digest with the soft deleted image is not allowed. Instead restore the soft deleted image.

- | **DataPlaneRequests** | All APIs | Logs back-end requests as data plane operations, which are requests executed to create, update, delete or retrieve data within the account. | `Requestcharge`, `statusCode`, `clientIPaddress`, `partitionID`, `resourceTokenPermissionId` `resourceTokenPermissionMode` |

- | **CassandraRequests** | API for Apache Cassandra | Logs user-initiated requests from the front end to serve requests to Azure Cosmos DB for Cassandra. When you enable this category, make sure to disable DataPlaneRequests. | `operationName`, `requestCharge`, `piiCommandText` |

- | **GremlinRequests** | API for Apache Gremlin | Logs user-initiated requests from the front end to serve requests to Azure Cosmos DB for Gremlin. When you enable this category, make sure to disable DataPlaneRequests. | `operationName`, `requestCharge`, `piiCommandText`, `retriedDueToRateLimiting` |

- | **QueryRuntimeStatistics** | API for NoSQL | This table details query operations executed against an API for NoSQL account. By default, the query text and its parameters are obfuscated to avoid logging personal data with full text query logging available by request. | `databasename`, `partitionkeyrangeid`, `querytext` |

- | **TableApiRequests** | API for Table | Logs user-initiated requests from the front end to serve requests to Azure Cosmos DB for Table. When you enable this category, make sure to disable DataPlaneRequests. | `operationName`, `requestCharge`, `piiCommandText` |

-tags: azure-resource-manager

-You can configure alerts based on your actual cost or forecasted cost to ensure that your spending is within your organizational spending limit. Notifications are triggered when the budget thresholds you've created are exceeded. Resources are not affected, and your consumption isn't stopped. You can use budgets to compare and track spending as you analyze costs.

-Budgets reset automatically at the end of a period (monthly, quarterly, or annually) for the same budget amount when you select an expiration date in the future. Because they reset with the same budget amount, you need to create separate budgets when budgeted currency amounts differ for future periods. When a budget expires, it's automatically deleted.

- - Billing account

-For Azure EA subscriptions, you must have read access to view budgets. To create and manage budgets, you must have contributor permission.

-After you identify your scope and filters, type a budget name. Then, choose a monthly, quarterly, or annual budget reset period. The reset period determines the time window that's analyzed by the budget. The cost evaluated by the budget starts at zero at the beginning of each new period. When you create a quarterly budget, it works in the same way as a monthly budget. The difference is that the budget amount for the quarter is evenly divided among the three months of the quarter. An annual budget amount is evenly divided among all 12 months of the calendar year.

-If you have a Pay-As-You-Go, MSDN, or Visual Studio subscription, your invoice billing period might not align to the calendar month. For those subscription types and resource groups, you can create a budget that's aligned to your invoice period or to calendar months. To create a budget aligned to your invoice period, select a reset period of **Billing month**, **Billing quarter**, or **Billing year**. To create a budget aligned to the calendar month, select a reset period of **Monthly**, **Quarterly**, or **Annually**.

-Budgets require at least one cost threshold (% of budget) and a corresponding email address. You can optionally include up to five thresholds and five email addresses in a single budget. When a budget threshold is met, email notifications are normally sent within an hour of the evaluation. Actual costs budget alerts are generated for the actual cost you've accrued in relation to the budget thresholds configured.

-Alert limits support a range of 0.01% to 1000% of the budget threshold that you've provided.

-After you create a budget, it's shown in cost analysis. Viewing your budget against your spending trend is one of the first steps when you start to [analyze your costs and spending](./quick-acm-cost-analysis.md).

- - Owner role on the storage account.

- - Any custom role with `Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/permissions/read` permissions.

-Scheduled exports get affected by the time and day of week of when you initially create the export. When you create a scheduled export, the export runs at the same frequency for each export that runs later. For example, for a daily export of month-to-date costs export set at a daily frequency, the export runs during once each UTC day. Similarly for a weekly export, the export runs every week on the same UTC day as it is scheduled. Individual export runs can occur at different times throughout the day. So, avoid taking a firm dependency on the exact time of the export runs. Run timing depends on the active load present in Azure during a given UTC day. When an export run begins, your data should be available within 4 hours.

-One of the purposes of exporting your Cost Management data is to access the data from external systems. You might use a dashboard system or other financial system. Such systems vary widely so showing an example wouldn't be practical. However, you can get started with accessing your data from your applications at [Introduction to Azure Storage](../../storage/common/storage-introduction.md).

-1. Select the **From Text/CSV** option.

-1. In the next box, set **File origin** to **65001: Unicode (UTF-8)**.

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-Your Azure for Students subscription might get disabled because you've used all of your credit, your credit has expired, or you've accidentally canceled your subscription. See what issue applies to you and learn how you can get your subscription reactivated.

-## You've used all of your credit

-Azure for Students account gives you $100 in credit and a limited quantity of free services for 12 months. Any usage beyond the free services and quantities is deducted from your credit. Once your credit runs out, Azure disables your services and subscription. To continue using Azure services, you must upgrade your subscription to a pay-as-you-go subscription by contacting [Azure support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade). After you upgrade, your subscription still has access to free services for 12 months from your sign-up date. You only get charged for usage beyond the free services and quantities.

-You can check your remaining credit on the [Microsoft Azure Sponsorships portal](https://www.microsoftazuresponsorships.com/balance)

-## Your credit has expired

-Your Azure for Students credit expires at the end of 12 months. Once your credit expires, Azure disables your subscription. To continue using Azure services, you must upgrade your subscription to a Pay-As-You-Go subscription by contacting [Azure support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade). After you upgrade, Azure charges you pay-as-you-go rates for any services you're using.

-## You've accidentally canceled your subscription

-If you've accidentally canceled your Azure for Students subscription, you can reactivate it by contacting [Azure support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade). Once you reactivate, you still have access to the remaining credit and free services for 12 months from your sign-up date.

-tags: billing,top-support-issue

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-description: Learn how to use Azure automation to shut down VMs based on specific budget thresholds.

-tags: billing

-A common budgets scenario for a customer running a non-critical workload could occur when they want to manage against a budget and also get to a predictable cost when looking at the monthly invoice. This scenario requires some cost-based orchestration of resources that are part of the Azure environment. In this scenario, a monthly budget of $1000 for the subscription is set. Also, notification thresholds are set to trigger a few orchestrations. This scenario starts with an 80% cost threshold, which will stop all VMs in the resource group **Optional**. Then, at the 100% cost threshold, all VM instances will be stopped.

-[Azure Automation](../../automation/automation-intro.md) is a service that enables you to script most of your resource management tasks and run those tasks as either scheduled or on-demand. As part of this scenario, you'll create an [Azure Automation runbook](../../automation/automation-runbook-types.md) that will be used to stop VMs. You'll use the [Stop Azure V2 VMs](https://gallery.technet.microsoft.com/scriptcenter/Stop-Azure-ARM-VMs-1ba96d5b) graphical runbook from the [gallery](../../automation/automation-runbook-gallery.md) to build this scenario. By importing this runbook into your Azure account and publishing it, you can stop VMs when a budget threshold is reached.

-Using an [Azure Automation runbook](../../automation/automation-runbook-types.md), import the [Stop Azure V2 VMs](https://gallery.technet.microsoft.com/scriptcenter/Stop-Azure-ARM-VMs-1ba96d5b) graphical runbook from the gallery.

-1. Locate and select the [Stop Azure V2 VMs](https://gallery.technet.microsoft.com/scriptcenter/Stop-Azure-ARM-VMs-1ba96d5b) gallery item within the Azure portal.

-Using the [Stop Azure V2 VMs](https://gallery.technet.microsoft.com/scriptcenter/Stop-Azure-ARM-VMs-1ba96d5b) graphical runbook, you create two Webhooks to start the runbook in Azure Automation through a single HTTP request. The first webhook invokes the runbook at an 80% budget threshold with the resource group name as a parameter, allowing the optional VMs to be stopped. Then, the second webhook invokes the runbook with no parameters (at 100%), which stops all remaining VM instances.

-1. Select **Add** > **Add row** within the Condition box to add an additional part of the condition.

-You now have all the pieces you need to call the [budgets API](/rest/api/consumption/budgets). The budgets API reference has additional details on the specific requests, including:

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-> [!Note]

-The Azure Enterprise Reporting APIs enable Enterprise Azure customers to programmatically pull consumption and billing data into preferred data analysis tools. Enterprise customers have signed an [Enterprise Agreement (EA)](https://azure.microsoft.com/pricing/enterprise-agreement/) with Azure to make negotiated Azure Prepayment (previously called monetary commitment) and gain access to custom pricing for Azure resources.

-* **Generate or retrieve the API key** - Log in to the Enterprise portal, and navigate to Reports > Download Usage > API Access Key to generate or retrieve the API key.

-* **Passing keys in the API** - The API key needs to be passed for each call for Authentication and Authorization. The following property needs to be to the HTTP headers

-A Swagger endpoint is available [here](https://consumption.azure.com/swagger/ui/index) for the APIs described below which should enable easy introspection of the API and the ability to generate client SDKs using [AutoRest](https://github.com/Azure/AutoRest) or [Swagger CodeGen](https://swagger.io/swagger-codegen/). Data beginning May 1, 2014 is available through this API.

-* **Balance and Summary** - The [Balance and Summary API](/rest/api/billing/enterprise/billing-enterprise-api-balance-summary) offers a monthly summary of information on balances, new purchases, Azure Marketplace service charges, adjustments and overage charges.

-* **Usage Details** - The [Usage Detail API](/rest/api/billing/enterprise/billing-enterprise-api-usage-detail) offers a daily breakdown of consumed quantities and estimated charges by an Enrollment. The result also includes information on instances, meters and departments. The API can be queried by Billing period or by a specified start and end date.

-* **Marketplace Store Charge** - The [Marketplace Store Charge API](/rest/api/billing/enterprise/billing-enterprise-api-marketplace-storecharge) returns the usage-based marketplace charges breakdown by day for the specified Billing Period or start and end dates (one time fees are not included).

-Etags will be returned in the response of all the above API. A change in Etag indicates the data has been refreshed. In subsequent calls to the same API using the same parameters, pass the captured Etag with the key "If-None-Match" in the header of http request. The response status code would be "NotModified" if the data has not been refreshed any further and no data will be returned. API will return the full dataset for the required period whenever there is an etag change.

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing,top-support-issue

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing, past due, pay now, bill, invoice, pay

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-tags: billing

-| 16 | 16 | 32 | |

-| 64 | 16 | 80 | Large |

-> Applying regional format changes will discard any unsaved changes in your data factory.

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-1.png" alt-text="Screenshot of Azure Data Factory home page with an Opt-in option in a banner at the top of the screen.":::

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-2.png" alt-text="Screenshot of Azure Data Factory home page highlighting Settings gear in top right corner.":::

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-3.png" alt-text="Screenshot of Settings panel highlighting button to turn on Azure Data Factory Studio preview update.":::

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-4.png" alt-text="Screenshot of Settings panel showing Azure Data Factory Studio preview update turned on and the Apply button in the bottom left corner.":::

- Your data factory will refresh to show the preview features.

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-5.png" alt-text="Screenshot of Azure Data Factory home page with an Opt-out option in a banner at the top of the screen and Settings gear in the top right corner of the screen.":::

-In supported activities, you'll see an icon next to the setting. Clicking this will open up the flyout where you can choose your dynamic content.

-The monitoring experience remains the same as detailed [here](monitor-visually.md), except for items detailed below.

-When monitoring your pipeline run, you have the option to enable the container view, which will provide a consolidated view of the activities that ran.

-Select **Container** to see the new container view. If you have iteration or conditional activities, the nested activities will be grouped under the parent activity.

-We want to hear from you! If you see this pop-up, please let us know your thoughts by providing feedback on the updates you've tested.

-You'll now identify a specific Azure Marketplace image that you wish to use. Azure Marketplace hosts thousands of VM images.

-To find some of the most commonly used Marketplace images that match your search criteria, run the following command.

-az vm image list --all --publisher "MicrosoftWindowsserver" --offer "WindowsServer"

-#Returns all VM images from a publisher

-az vm image list --all --publisher "Canonical"

-In this example, we will select Windows Server 2019 Datacenter Core, version 2019.0.20190410. We will identify this image by its Universal Resource Number (ΓÇ£URNΓÇ¥).

-

-Below is a list of URNs for some of the most commonly used images. If you just want the latest version of a particular OS, the version number can be replaced with ΓÇ£latestΓÇ¥ in the URN. For example, ΓÇ£MicrosoftWindowsServer:WindowsServer:2019-Datacenter:LatestΓÇ¥.

-Create an Azure Managed Disk from your chosen Marketplace image.

- $diskAccessSAS = ($sas | ConvertFrom-Json)[0].accessSas

-## Export a VHD from the managed disk to Azure Storage

-

-

- Get-AzureStorageBlobCopyState ΓÇôContainer $containerName ΓÇôContext $destContext -Blob $destBlobName

-az disk revoke-access --name $diskName --resource-group $diskRG

-az disk delete --name $diskName --resource-group $diskRG --yes

-"parameters": {

- "value": "<name of the VM>"

- "value": "<name for the extension. Example: windowsGpu>"

- "value": "Microsoft.HpcCompute"

- "value": "NvidiaGpuDriverWindows"

- "value": "1.5"

-

-"parameters": {

- "value": "<name of the VM>"

- "value": "<name for the extension. Example: windowsGpu>"

- "value": "Microsoft.HpcCompute"

- "value": "NvidiaGpuDriverWindows"

- "value": "1.3"

-"parameters": {

- "value": "<name of the VM>"

- "value": "<name for the extension. Example: linuxGpu>"

- "value": "Microsoft.HpcCompute"

- "value": "NvidiaGpuDriverLinux"

- "value": "1.8"

-"parameters": {

- "value": "<name of the VM>"

- "value": "<name for the extension. Example: linuxGpu>"

- "value": "Microsoft.HpcCompute"

- "value": "NvidiaGpuDriverLinux"

- "value": "1.3"

- "value": "VM1"

- "value": "gpuLinux"

- "value": "Microsoft.HpcCompute"

- "value": "NvidiaGpuDriverLinux"

- "value": "1.3"

-## Deploy template

-$templateFile = "<Path to addGPUextensiontoVM.json>"

-$templateParameterFile = "<Path to addGPUExtWindowsVM.parameters.json>"

-Deploy the template `addGPUextensiontoVM.json` to install the extension to an existing VM.

-$templateFile = "Path to addGPUextensiontoVM.json"

-$templateParameterFile = "Path to addGPUExtLinuxVM.parameters.json"

-$RGName = "<Name of your resource group>"

-```

-Extension execution output is logged to the following file. Refer to this file `C:\Packages\Plugins\Microsoft.HpcCompute.NvidiaGpuDriverWindows\1.3.0.0\Status` to track the status of installation.

-To check the deployment state of extensions for a given VM, open another PowerShell session (run as administrator), and then run the following command:

-Here's a sample output:

-Sign in to the VM and run the nvidia-smi command-line utility installed with the driver.

-1. Connect to the GPU VM. Follow the instructions in [Connect to a Linux VM](azure-stack-edge-gpu-deploy-virtual-machine-powershell.md#connect-to-a-linux-vm).

-

-

-

- Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.0.0-1031-azure x86_64)

- * Support: https://ubuntu.com/advantage

- System information as of Thu Dec 10 22:57:01 UTC 2020

-

-

-

-

-

- - -

-# Tutorial: Use REST APIs to Copy data to Azure Data Box Blob storage

-* Download the certificate from Azure portal. This certificate is used for connecting to the web UI and Azure Blob storage REST APIs.

-Several, such as Ubuntu and Debian, use the `update-ca-certificates` command.

-### Add device IP address and blob service endpoint

- - Have other [required software](data-box-disk-system-requirements.md#other-required-software-for-windows-clients) installed if it is a Windows client.

-

-Perform the following steps to connect and unlock your disks.

- ```

- ```

-Perform the following steps to connect and unlock your disks.

-2. Download the Data Box Disk toolset corresponding to the Linux client.

- `chmod +x DataBoxDiskUnlock_x86_64`

- `chmod +x DataBoxDiskUnlock_Prep.sh`

- A sample output is shown below. Once the chmod command is run, you can verify that the file permissions are changed by running the `ls` command.

-

- [user@localhost Downloads]$ chmod +x DataBoxDiskUnlock_x86_64

- [user@localhost Downloads]$ chmod +x DataBoxDiskUnlock_Prep.sh

- [user@localhost Downloads]$ ls -l

- -rwxrwxr-x. 1 user user 1152664 Aug 10 17:26 DataBoxDiskUnlock_x86_64

- The script will first check whether your client computer is running a supported operating system. A sample output is shown below.

-

- [user@localhost Documents]$ sudo ./DataBoxDiskUnlock_Prep.sh

- OS = CentOS Version = 6.9

- Release = CentOS release 6.9 (Final)

- Architecture = x64

- The script will install the following packages and dependencies.

- epel-release

- dislocker

- ntfs-3g

- fuse-dislocker

-

-5. Type `y` to continue the install. The packages that the script installs are:

- - **epel-release** - Repository that contains the following three packages.

- - **dislocker and fuse-dislocker** - These utilities helps decrypting BitLocker encrypted disks.

- - **ntfs-3g** - Package that helps mount NTFS volumes.

-

- Once the packages are successfully installed, the terminal will display a notification to that effect.

- Dependency Installed: compat-readline5.x86 64 0:5.2-17.I.el6 dislocker-libs.x86 64 0:0.7.1-8.el6 mbedtls.x86 64 0:2.7.4-l.el6        ruby.x86 64 0:1.8.7.374-5.el6

- ruby-libs.x86 64 0:1.8.7.374-5.el6

- Complete!

- Loaded plugins: fastestmirror, refresh-packagekit, security

- Setting up Remove Process

- Resolving Dependencies

- --> Running transaction check

- > Package epel-release.noarch 0:6-8 will be erased --> Finished Dependency Resolution

- Dependencies Resolved

- Package        Architecture        Version        Repository        Size

- Removing: epel-release        noarch         6-8        @extras        22 k

- Transaction Summary                                

- Remove        1 Package(s)

- Installed size: 22 k

- Downloading Packages:

- Running rpmcheckdebug

- Running Transaction Test

- Transaction Test Succeeded

- Running Transaction

- Erasing : epel-release-6-8.noarch

- Verifying : epel-release-6-8.noarch

- Removed:

- epel-release.noarch 0:6-8

- Complete!

- Dislocker is installed by the script.

-6. Run the Data Box Disk Unlock tool. Supply the passkey from the Azure portal you obtained in [Connect to disks and get the passkey](#connect-to-disks-and-get-the-passkey). Optionally specify a list of BitLocker encrypted volumes to unlock. The passkey and volume list should be specified within single quotes.

-

- The sample output is shown below.

-

- [user@localhost Downloads]$ sudo ./DataBoxDiskUnlock_x86_64 /Passkey:'qwerqwerqwer'

-

- START: Mon Aug 13 14:25:49 2018

- Volumes: /dev/sdbl

- Passkey: qwerqwerqwer

-

- Volumes for data copy :

- /dev/sdbl: /mnt/DataBoxDisk/mountVoll/

-7. Repeat unlock steps for any future disk reinserts. Use the `help` command if you need help with the Data Box Disk unlock tool.

-

- `sudo ./DataBoxDiskUnlock_x86_64 /Help`

- The sample output is shown below.

-

- [user@localhost Downloads]$ sudo ./DataBoxDiskUnlock_x86_64 /Help

- START: Mon Aug 13 14:29:20 2018

- USAGE:

- sudo DataBoxDiskUnlock /PassKey:'<passkey from Azure_portal>'

-

- Example: sudo DataBoxDiskUnlock /PassKey:'passkey'

- Example: sudo DataBoxDiskUnlock /PassKey:'passkey' /Volumes:'/dev/sdbl'

- Example: sudo DataBoxDiskUnlock /Help Example: sudo DataBoxDiskUnlock /Clean

-

- /PassKey: This option takes a passkey as input and unlocks all of your disks.

- Get the passkey from your Data Box Disk order in Azure portal.

- /Volumes: This option is used to input a list of BitLocker encrypted volumes.

- /Help: This option provides help on the tool usage and examples.

- /Unmount: This option unmounts all the volumes mounted by this tool.

-

-

-8. Once the disk is unlocked, you can go to the mount point and view the contents of the disk. You are now ready to copy the data to *BlockBlob* or *PageBlob* folders.

-If you run into any issues while unlocking the disks, see how to [troubleshoot unlock issues](data-box-disk-troubleshoot-unlock.md).

- > [Download Data Box Disk toolset for Linux](https://aka.ms/databoxdisktoolslinux)

- ```

- - Get the passkey from **General > Device details** in the Azure portal and provide it here. The drive letter assigned to the disk is displayed.

-4. To unlock the disks on a Linux client, open a terminal. Go to the folder where you downloaded the software. Type the following commands to change the file permissions so that you can execute these files:

- ```

- ```

-# Tutorial: Copy data to Azure Data Box Blob storage via REST APIs

- - Be connected to a high-speed network. For fastest copy speeds, two 40-GbE connections (one per node) can be utilized in parallel. If you do not have 40-GbE connection available, we recommend that you have at least two 10-GbE connections (one per node).

-

-### Import certificate

-Several, such as Ubuntu and Debian, use the `update-ca-certificates` command.

-### Add device IP address and blob service endpoint

-| DeviceInfoΓÇ»

-| summarize arg_max(Timestamp, *) by DeviceIdΓÇ»

-| where DeviceType == "NetworkDevice" and DeviceSubtype ΓÇ»== "Router"ΓÇ»

-| join kind=inner DeviceTvmSoftwareVulnerabilities on DeviceId

->

-> - If you're integrating your security solution with cloud-based systems, we recommend that you use data connectors through [Microsoft Sentinel](#cloud-based-integrations).

- > The region you select for the virtual network is the where Azure deploys the dev boxes.

- [Event Grid subscription schema](./subscription-creation-schema.md).

-Defender EASM provides five dashboards:

-Insight Priorities are determined by MicrosoftΓÇÖs assessment of the potential impact of each insight. For instance, high severity insights can include vulnerabilities that are new, exploited frequently, particularly damaging, or easily exploited by hackers with a lower skill level. Low severity insights can include use of deprecated technology that is no longer supported, infrastructure that will soon expire, or compliance issues that do not align with security best practices. Each insight contains suggested remediation actions to protect against potential exploits.

-Some insights are flagged with "Potential" in the title. A "Potential" insight occurs when Defender EASM is unable to confirm that an asset is impacted by a vulnerability. This is common when our scanning system detects the presence of a specific service but cannot detect the version number. For example, some services enable administrators to hide version information. Vulnerabilities are often associated with specific versions of the software, so manual investigation is required to determine whether the asset is impacted. Other vulnerabilities can be remediated by steps that Defender EASM is unable to detect. For instance, users can make recommended changes to service configurations or run backported patches. If an insight is prefaced with "Potential", the system has reason to believe that the asset is impacted by the vulnerability but is unable to confirm it for one of the above listed reasons. To manually investigate, click the insight name to review remediation guidance that can help you determine whether your assets are impacted.

-A user will usually decide to first investigate any High Severity Observations. You can click the top-listed observation to be directly routed to a list of impacted assets, or instead select ΓÇ£View All __ InsightsΓÇ¥ to see a comprehensive, expandable list of all potential observations within that severity group.

-For instance, your organization might have recently decided to migrate all cloud infrastructure to a single provider to simplify and consolidate their Attack Surface. This chart can help you identify assets that still need to be migrated. Each bar of the chart is clickable, routing users to a filtered list that displays the assets that comprise the chart value.

-your applications through rich retry policies and dead-letter delivery. Event Grid takes

-To learn more, see [Event Grid message delivery and retry](../../../event-grid/delivery-and-retry.md).

-Event Grid has a few benefits for customers and services in the Azure ecosystem:

- state change.

-There are two primary entities when using Event Grid:

-Another scenario is to automatically trigger remediation tasks without manually ticking off _create

-remediation task_ on the policy page. Event Grid checks for compliance state and resources that are currently

-Additionally, Event Grid is helpful as an audit system to store state changes and understand cause of noncompliance over

-time. The scenarios for Event Grid are endless and based on the motivation, Event Grid is configurable.

-This is the FAQ for Azure Internet Analyzer- if you have additional questions, go to the [feedback forum](https://aka.ms/internetAnalyzerFeedbackForum) and post your question. When a question is frequently asked, we add it to this article so it can be found quickly and easily.

-## How do I participate in the preview?

-The preview is available to select customers. If you are interested in joining the preview, please do the following:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. Navigate to the **Subscriptions** page.

-3. Click on the Azure subscription that you plan to use Internet Analyzer with.

-4. Go to the **Resource providers** settings for the subscription.

-5. Search for **Microsoft.Network** and click on the **Register** (or **Re-register**) button.

-

-6. [Request approval](https://aka.ms/internetAnalyzerContact) by providing us your email address and the Azure subscription ID that was used to make the access request.

-7. Once your request has been approved, you will receive an email confirmation and will be able to create/update/modify Internet Analyzer resources from the newly allowed Azure subscription.

-* ***Test:*** Select the test that youΓÇÖd like to view results for - each test has its own scorecard. Test data will appear once there is enough data to complete the analysis ΓÇô in most cases, this should be within 24 hours.

-The number of measurements impacts the confidence of the analysis. The higher the count, the more accurate the result. At minimum, tests should aim for a minimum of 100 measurements per endpoint per day. If measurement counts are too low, please configure the JavaScript client to execute more frequently in your application. The measurement counts for endpoints A and B should be very similar although small differences are expected and okay. In the case of large differences, the results should not be trusted.

-Latency, measured in milliseconds, is a popular metric for measuring speed between a source and destination on the Internet. Latency data is not normally distributed (i.e. does not follow a "Bell Curve") because there is a "long-tail" of large latency values that skew results when using statistics such as the arithmetic mean. As an alternative, percentiles provide a "distribution-free" way to analyze data. As an example, the median, or 50th percentile, summarizes the middle of the distribution - half the values are above it and half are below it. A 75th percentile value means it is larger than 75% of all values in the distribution. Internet Analyzer refers to percentiles in shorthand as P50, P75, and P95.

-For analysis purposes, P50 (median), is useful as an expected value for a latency distribution. Higher percentiles, such as P95, are useful for identifying how high latency is in the worst cases. If you are interested in understanding customer latency in general, P50 is the correct metric to focus on. If you are concerned with understanding performance for the worst-performing customers, then P95 should be the focus. P75 is a balance between these two.

-A delta is the difference in metric values for endpoints A and B. Deltas are computed to show the benefit of B over A. Positive values indicate B performed better than A, whereas negative values indicate B's performance is worse. Deltas can be absolute (e.g. 10 milliseconds) or relative (5%).

-description: Learn about the prerequisites to set up peering with Microsoft.

-Ensure the prerequisites below are met before you request for a new peering or convert a legacy peering to Azure resource.

-* **Microsoft Azure account:**

-* **Associate Peer ASN:**

-* **PeeringDB profile:**

-## Next steps

-* [Create or modify a Direct peering using the Azure portal](howto-direct-portal.md).

-* [Convert a legacy Direct peering to Azure resource using the Azure portal](howto-legacy-direct-portal.md)

-* [Create or modify Exchange peering using the Azure portal](howto-exchange-portal.md)

-* [Convert a legacy Exchange peering to Azure resource using the Azure portal](howto-legacy-exchange-portal.md)

-description: Get started with Direct peering.

-The following steps must be followed to provision a Direct peering:

-1. Once peering request is approved, connection state changes to *ProvisioningStarted*.

-1. You need to:

- 1. complete wiring according to the LOA

- 1. (optionally) perform link test using 169.254.0.0/16

-1. If successful, you receive a notification that peering connection state is *Active*.

-1. Traffic will then be allowed through the new peering.

-## Convert a legacy Direct peering to Azure resource

-The following steps must be followed to convert a legacy Direct peering to Azure resource:

-1. After you submit the conversion request, Microsoft will review the request and contact you if necessary.

-1. Once approved, you see your Direct peering with a connection state as *Active*.

-When a Direct peering is set for deprovision, you see the connection state as *PendingRemove*.

-> If you run PowerShell cmdlet to delete the Direct peering when the ConnectionState is *ProvisioningStarted* or *ProvisioningCompleted*, the operation will fail.

-## Next steps

-* Learn about the [Prerequisites to set up peering with Microsoft](prerequisites.md).

-description: Get started with Exchange peering.

-The following steps must be followed in order to provision an Exchange peering:

-1. Once peering request is approved, connection state changes to *Approved*.

-1. If successful, you receive a notification that peering connection state is *Active*.

-1. Traffic will then be allowed through the new peering.

-> Connection states aren't to be confused with standard BGP session states.

-The following steps must be followed in order to convert a legacy Exchange peering to Azure resource:

-1. Once approved, you see your Exchange peering with a connection state as *Active*.

-## Deprovision Exchange peering

-Contact [Microsoft peering](mailto:peering@microsoft.com) to deprovision Exchange peering.

-When an Exchange peering is set for deprovision, you see the connection state as *PendingRemove*.

-> [!NOTE]

-> If you run PowerShell cmdlet to delete the Exchange peering when the connection state is *ProvisioningStarted* or *ProvisioningCompleted*, the operation will fail.

-## Next steps

-* Learn about the [Prerequisites to set up peering with Microsoft](prerequisites.md).

-1. Check the MTU setting for your docker network.

-

-

-warn: edgelet_utils::logging -- caused by: failed to create endpoint edgeHub on network nat: hnsCall failed in Win32:

-1. In your IoT Hub, select your IoT Edge device and from the device details page and select **Set Modules** > **Runtime Settings**.

-1. Create an environment variable for the IoT Edge hub module called *OptimizeForPerformance* with type *True/False* that is set to *False*.

-1. Select **Apply** to save changes, then select **Review + create**.

-

-For all Linux distros except CentOS 7, IoT Edge's default configuration is to use `systemd` socket activation. A permission error happens if you change the configuration file to not use socket activation but leave the URLs as `/var/run/iotedge/*.sock`, since the `iotedge` user can't write to `/var/run/iotedge` meaning it can't unlock and mount the sockets itself.

-When attempting to migrate a hierarchy of IoT Edge devices from one IoT hub to another, the top level parent IoT Edge device can connect to IoT Hub, but downstream IoT Edge devices can't. The logs report `Unable to authenticate client downstream-device/$edgeAgent with module credentials`.

-1. Follow [this guide to export and then import device identities](../iot-hub/iot-hub-bulk-identity-mgmt.md) from the old IoT hub to the new one

-> Azure App Service certificate configuration through Azure Portal does not support Key Vault RBAC permission model. You can use Azure PowerShell, Azure CLI, ARM template deployments with **Key Vault Certificate User** role assignment for App Service global identity, for example Microsoft Azure App Service' in public cloud.

-| Key Vault Certificate User | Read entire certificate contents including secret and key portion. Only works for key vaults that use the 'Azure role-based access control' permission model. | db79e9a7-68ee-4b58-9aeb-b90e7c24fcba |

-description: Overview of cross region load balancer tier for Azure Load Balancer.

-# Cross-region (Global) Load Balancer

-Azure Standard Load Balancer supports cross-region load balancing enabling geo-redundant high availability scenarios such as:

-* Incoming traffic originating from multiple regions.

-* [Instant global failover](#regional-redundancy) to the next optimal regional deployment.

-* Load distribution across regions to the closest Azure region with [ultra-low latency](#ultra-low-latency).

-* Ability to [scale up/down](#ability-to-scale-updown-behind-a-single-endpoint) behind a single endpoint.

-* Static anycast global IP address

-* [Client IP preservation](#client-ip-preservation)

-* [Build on existing load balancer](#build-cross-region-solution-on-existing-azure-load-balancer) solution with no learning curve

-The frontend IP configuration of your cross-region load balancer is static and advertised across [most Azure regions](#participating-regions).

-> [!NOTE]

-> The backend port of your load balancing rule on cross-region load balancer should match the frontend port of the load balancing rule/inbound nat rule on regional standard load balancer.

-### Regional redundancy

-Configure regional redundancy by seamlessly linking a cross-region load balancer to your existing regional load balancers.

-If one region fails, the traffic is routed to the next closest healthy regional load balancer.

-The health probe of the cross-region load balancer gathers information about availability of each regional load balancer every 5 seconds. If one regional load balancer drops its availability to 0, cross-region load balancer detects the failure. The regional load balancer is then taken out of rotation.

-### Ultra-low latency

-The geo-proximity load-balancing algorithm is based on the geographic location of your users and your regional deployments.

-Traffic started from a client hits the closest participating region and travel through the Microsoft global network backbone to arrive at the closest regional deployment.

-For example, you have a cross-region load balancer with standard load balancers in Azure regions:

-* West US

-* North Europe

-If a flow is started from Seattle, traffic enters West US. This region is the closest participating region from Seattle. The traffic is routed to the closest region load balancer, which is West US.

-Azure cross-region load balancer uses geo-proximity load-balancing algorithm for the routing decision.

-The configured load distribution mode of the regional load balancers is used for making the final routing decision when multiple regional load balancers are used for geo-proximity.

-For more information, see [Configure the distribution mode for Azure Load Balancer](./load-balancer-distribution-mode.md).

-Egress traffic follows the routing preference set on the regional load balancers.

-### Ability to scale up/down behind a single endpoint

-When you expose the global endpoint of a cross-region load balancer to customers, you can add or remove regional deployments behind the global endpoint without interruption.

-<!To learn about how to add or remove a regional deployment from the backend, read more [here](TODO: Insert CLI doc here).>

-### Static anycast global IP address

-Cross-region load balancer comes with a static public IP, which ensures the IP address remains the same. To learn more about static IP, read more [here](../virtual-network/ip-services/public-ip-addresses.md#ip-address-assignment)

-### Client IP Preservation

-Cross-region load balancer is a Layer-4 pass-through network load balancer. This pass-through preserves the original IP of the packet. The original IP is available to the code running on the virtual machine. This preservation allows you to apply logic that is specific to an IP address.

-### Floating IP

-Floating IP can be configured at both the global IP level and regional IP level. For more information, visit [Multiple frontends for Azure Load Balancer](./load-balancer-multivip-overview.md)

-It is important to note that floating IP configured on the Azure cross-region Load Balancer operates independently of floating IP configurations on backend regional load balancers. If floating IP is enabled on the cross-region load balancer, the appropriate loopback interface needs to be added to the backend VMs.

-### Health Probes

-Azure cross-region Load Balancer utilizes the health of the backend regional load balancers when deciding where to distribute traffic to. Health checks by cross-region load balancer are done automatically every 5 seconds, given that a user has set up health probes on their regional load balancer.  

-## Build cross region solution on existing Azure Load Balancer

-The backend pool of cross-region load balancer contains one or more regional load balancers.

-Add your existing load balancer deployments to a cross-region load balancer for a highly available, cross-region deployment.

-**Home region** is where the cross-region load balancer or Public IP Address of Global tier is deployed.

-This region doesn't affect how the traffic is routed. If a home region goes down, traffic flow is unaffected.

-### Home regions

-* Central US

-* East Asia

-* East US 2

-* North Europe

-* Southeast Asia

-* UK South

-* US Gov Virginia

-* West Europe

-* West US

-> [!NOTE]

-> You can only deploy your cross-region load balancer or Public IP in Global tier in one of the listed Home regions.

-A **participating region** is where the Global public IP of the load balancer is being advertised.

-Traffic started by the user travels to the closest participating region through the Microsoft core network.

-Cross-region load balancer routes the traffic to the appropriate regional load balancer.

-### Participating regions

-* Australia East

-* Australia Southeast

-* Central India

-* Central US

-* East Asia

-* East US

-* East US 2

-* Japan East

-* North Central US

-* North Europe

-* South Central US

-* Southeast Asia

-* UK South

-* US DoD Central

-* US DoD East

-* US Gov Arizona

-* US Gov Texas

-* US Gov Virginia

-* West Central US

-* West Europe

-* West US

-* West US 2

-> [!NOTE]

-> The backend regional load balancers can be deployed in any publicly available Azure Region and is not limited to just participating regions.

-## Limitations

-* Cross-region frontend IP configurations are public only. An internal frontend is currently not supported.

-* Private or internal load balancer can't be added to the backend pool of a cross-region load balancer

-* NAT64 translation isn't supported at this time. The frontend and backend IPs must be of the same type (v4 or v6).

-* UDP traffic isn't supported on Cross-region Load Balancer for IPv6.

-* UDP traffic on port 3 isn't supported on Cross-Region Load Balancer

-* Outbound rules aren't supported on Cross-region Load Balancer. For outbound connections, utilize [outbound rules](./outbound-rules.md) on the regional load balancer or [NAT gateway](../nat-gateway/nat-overview.md).

-## Pricing and SLA

-Cross-region load balancer shares the [SLA](https://azure.microsoft.com/support/legal/sla/load-balancer/v1_0/) of standard load balancer.

- ## Next steps

-description: With this learning path, get started with Azure Standard Load Balancer and Availability Zones.

-# Load Balancer and Availability Zones

-Azure Load Balancer supports availability zones scenarios. You can use Standard Load Balancer to increase availability throughout your scenario by aligning resources with, and distribution across zones. Review this document to understand these concepts and fundamental scenario design guidance.

-A Load Balancer can either be **zone redundant, zonal,** or **non-zonal**. The load balancer's availability zone selection is synonymous with its frontend IP's zone selection. For public load balancers, if the public IP in the Load balancer's frontend is zone redundant then the load balancer is also zone-redundant. If the public IP in the load balancer's frontend is zonal, then the load balancer will also be designated to the same zone. To configure the zone-related properties for your load balancer, select the appropriate type of frontend needed.

-## Zone redundant

-In a region with Availability Zones, a Standard Load Balancer can be zone-redundant with traffic served by a single IP address. A single frontend IP address survives zone failure. The frontend IP may be used to reach all (non-impacted) backend pool members no matter the zone. Up to one availability zone can fail and the data path survives as long as the remaining zones in the region remain healthy.

-The frontend's IP address is served simultaneously by multiple independent infrastructure deployments in multiple availability zones. Any retries or reestablishment will succeed in other zones not affected by the zone failure.

-<p align="center">

- <img src="./media/az-zonal/zone-redundant-lb-1.svg" alt="Figure depicts a zone-redundant standard load balancer directing traffic in three different zones to three different subnets in a zone redundant configuration." width="512" title="Virtual Network NAT">

-</p>

-*Figure: Zone redundant load balancer*

-## Zonal

-You can choose to have a frontend guaranteed to a single zone, which is known as a *zonal*. With this scenario, a single zone in a region serves all inbound or outbound flow. Your frontend shares fate with the health of the zone. The data path is unaffected by failures in zones other than where it was guaranteed. You can use zonal frontends to expose an IP address per Availability Zone.

-Additionally, the use of zonal frontends directly for load-balanced endpoints within each zone is supported. You can use this configuration to expose per zone load-balanced endpoints to individually monitor each zone. For public endpoints, you can integrate them with a DNS load-balancing product like [Traffic Manager](../traffic-manager/traffic-manager-overview.md) and use a single DNS name.

-<p align="center">

- <img src="./media/az-zonal/zonal-lb-1.svg" alt="Figure depicts three zonal standard load balancers each directing traffic in a zone to three different subnets in a zonal configuration." width="512" title="Virtual Network NAT">

-</p>

-*Figure: Zonal load balancer*

-For a public load balancer frontend, you add a **zones** parameter to the public IP. This public IP is referenced by the frontend IP configuration used by the respective rule.

-For an internal load balancer frontend, add a **zones** parameter to the internal load balancer frontend IP configuration. A zonal frontend guarantees an IP address in a subnet to a specific zone.

-## Non-Zonal

-Load Balancers can also be created in a non-zonal configuration by use of a "no-zone" frontend. In these scenarios, a public load balancer would use a public IP or public IP prefix, an internal load balancer would use a private IP. This option doesn't give a guarantee of redundancy.

->[!NOTE]

->All public IP addresses that are upgraded from Basic SKU to Standard SKU will be of type "no-zone". Learn how to [Upgrade a public IP address in the Azure portal](../virtual-network/ip-services/public-ip-upgrade-portal.md).

-## <a name="design"></a> Design considerations

-Now that you understand the zone-related properties for Standard Load Balancer, the following design considerations might help as you design for high availability.

-### Tolerance to zone failure

-Members in the backend pool of a load balancer are normally associated with a single zone such as with zonal virtual machines. A common design for production workloads would be to have multiple zonal resources. For example, placing virtual machines from zone 1, 2, and 3 in the backend of a load balancer with a zone-redundant frontend meets this design principle.

-### Multiple frontends

-Using multiple frontends allow you to load balance traffic on more than one port and/or IP address. When designing your architecture, ensure you account for how zone redundancy interacts with multiple frontends. If your goal is to always have every frontend resilient to failure, then all IP addresses assigned as frontends must be zone-redundant. If a set of frontends is intended to be associated with a single zone, then every IP address for that set must be associated with that specific zone. A load balancer isn't required in each zone. Instead, each zonal front end, or set of zonal frontends, could be associated with virtual machines in the backend pool that are part of that specific availability zone.

-### Transition between regional zonal models

-In the case where a region is augmented to have [availability zones](../availability-zones/az-overview.md), any existing IPs would remain non-zonal like IPs used for load balancer frontends. To ensure your architecture can take advantage of the new zones, creation of new frontend IPs is recommended. Once created, you can replace the existing non-zonal frontend with a new zone-redundant frontend using the method described [here](../virtual-network/ip-services/configure-public-ip-load-balancer.md#change-or-remove-public-ip-address). All existing load balancing and NAT rules transition to the new frontend.

-### Control vs data plane implications

-Zone-redundancy doesn't imply hitless data plane or control plane. Zone-redundant flows can use any zone and your flows will use all healthy zones in a region. In a zone failure, traffic flows using healthy zones aren't affected.

-Traffic flows using a zone at the time of zone failure may be affected but applications can recover. Traffic continues in the healthy zones within the region upon retransmission when Azure has converged around the zone failure.

-Review [Azure cloud design patterns](/azure/architecture/patterns/) to improve the resiliency of your application to failure scenarios.

-## Limitations

-* Zones can't be changed, updated, or created for the resource after creation.

-* Resources can't be updated from zonal to zone-redundant or vice versa after creation.

-## Next steps

-description: Upgrade pipeline endpoints from v1 to v2 of Azure Machine Learning SDK

-[Batch Endpoint](concept-endpoints-batch.md) proposes a similar yet more powerful way to handle multiple assets running under a durable API which is why the Published pipelines functionality has been moved to [Pipeline component deployments in batch endpoints](concept-endpoints-batch.md#pipeline-component-deployment).

-1. First, we need to get the pipeline we want to publish. However, batch endpoints can't deploy pipelines but pipeline components. We need to convert the pipeline to a component.

- pipeline_component = pipeline.pipeline_builder.build()

-1. Then, we need to create the endpoint that will host all the pipeline deployments:

-In batch endpoints, deployments are not versioned. However, you can deploy multiple pipeline components versions under the same endpoint. In this sense, each pipeline version in v1 will correspond to a different pipeline component version and its corresponding deployment under the endpoint.

-Then, you can deploy a specific deployment running under the endpoint if that deployment runs the version you are interested in.

-Batch endpoints support multiple inputs types. The following example shows how to indicate two different inputs of type `string` and `numeric`:

-To know how to indicate inputs and outputs in batch endpoints and all the supported types see [Create jobs and input data for batch endpoints](how-to-access-data-batch-endpoints-jobs.md).

-[Migrate Hyper-V VMs](tutorial-migrate-hyper-v.md) for migration.

-As part of this retirement, we will no longer support creating new Single Server instances from the Azure portal beginning **January 16, 2023**. If you still need to create Single Server instances to meet business continuity needs, you can leverage [Azure CLI](./quickstart-create-mysql-server-database-using-azure-cli.md). Additionally, you can still use your Terraform template to create single server instances. You will still be able to create read replicas for your existing single server instance from the **Replication blade** and this will continue to be supported till the sunset date of **September 16, 2024**.

-**A.** As part of this retirement, we will no longer support creating new Single Server instances from the Azure portal beginning **January 16, 2023**. If you still need to create Single Server instances to meet business continuity needs, you can leverage [Azure CLI](./quickstart-create-mysql-server-database-using-azure-cli.md). Additionally, you can still use your Terraform template to create single server instances.

-description: This article describes how to diagnose on-premises connectivity via VPN gateway with Azure Network Watcher resource troubleshooting.

-# Diagnose on-premises connectivity via VPN gateways

-Azure VPN Gateway enables you to create hybrid solution that address the need for a secure connection between your on-premises network and your Azure virtual network. As your requirements are unique, so is the choice of on-premises VPN device. Azure currently supports [several VPN devices](../vpn-gateway/vpn-gateway-about-vpn-devices.md#devicetable) that are constantly validated in partnership with the device vendors. Review the device-specific configuration settings before configuring your on-premises VPN device. Similarly, Azure VPN Gateway is configured with a set of [supported IPsec parameters](../vpn-gateway/vpn-gateway-about-vpn-devices.md#ipsec) that are used for establishing connections. Currently, there's no way for you to specify or select a specific combination of IPsec parameters from the Azure VPN Gateway. For establishing a successful connection between on-premises and Azure, the on-premises VPN device settings must be in accordance with the IPsec parameters prescribed by Azure VPN Gateway. If the settings are incorrect, there's a loss of connectivity and until now troubleshooting these issues wasn't trivial and usually took hours to identify and fix the issue.

-With the Azure Network Watcher troubleshoot feature, you're able to diagnose any issues with your Gateway and Connections and within minutes have enough information to make an informed decision to rectify the issue.

-## Scenario

-You want to configure a site-to-site connection between Azure and on-premises using FortiGate as the on-premises VPN Gateway. To achieve this scenario, you would require the following setup:

-1. Virtual Network Gateway - The VPN Gateway on Azure

-1. Local Network Gateway - The [on-premises (FortiGate) VPN Gateway](../vpn-gateway/tutorial-site-to-site-portal.md#LocalNetworkGateway) representation in Azure cloud

-1. Site-to-site connection (route based) - [Connection between the VPN Gateway and the on-premises router](../vpn-gateway/tutorial-site-to-site-portal.md#CreateConnection)

-1. [Configuring FortiGate](https://github.com/Azure/Azure-vpn-config-samples/blob/master/Fortinet/Current/Site-to-Site_VPN_using_FortiGate.md)

-Detailed step by step guidance for configuring a Site-to-Site configuration can be found by visiting: [Create a VNet with a Site-to-Site connection using the Azure portal](../vpn-gateway/tutorial-site-to-site-portal.md).

-One of the critical configuration steps is configuring the IPsec communication parameters, any misconfiguration leads to loss of connectivity between the on-premises network and Azure. Currently, Azure VPN Gateways are configured to support the following IPsec parameters for Phase 1. As you can see in the table below, the encryption algorithms supported by Azure VPN Gateway are AES256, AES128, and 3DES.

-### IKE phase 1 setup

-| **Property** | **PolicyBased** | **RouteBased and Standard or High-Performance VPN gateway** |

-| | | |

-| IKE Version |IKEv1 |IKEv2 |

-| Diffie-Hellman Group |Group 2 (1024 bit) |Group 2 (1024 bit) |

-| Authentication Method |Pre-Shared Key |Pre-Shared Key |

-| Encryption Algorithms |AES256 AES128 3DES |AES256 3DES |

-| Hashing Algorithm |SHA1(SHA128) |SHA1(SHA128), SHA2(SHA256) |

-| Phase 1 Security Association (SA) Lifetime (Time) |28,800 seconds |28,800 seconds |

-As a user, you would be required to configure your FortiGate, a sample configuration can be found on [GitHub](https://github.com/Azure/Azure-vpn-config-samples/blob/master/Fortinet/Current/fortigate_show%20full-configuration.txt). Unknowingly you configured your FortiGate to use SHA-512 as the hashing algorithm. As this algorithm isn't a supported algorithm for policy-based connections, your VPN connection does work.

-These issues are hard to troubleshoot and root causes are often non-intuitive. In this case, you can open a support ticket to get help on resolving the issue. But with Azure Network Watcher troubleshoot API, you can identify these issues on your own.

-## Troubleshooting using Azure Network Watcher

-To diagnose your connection, connect to Azure PowerShell and initiate the `Start-AzNetworkWatcherResourceTroubleshooting` cmdlet. You can find the details on using this cmdlet at [Troubleshoot Virtual Network Gateway and connections - PowerShell](vpn-troubleshoot-powershell.md). This cmdlet may take up to few minutes to complete.

-Once the cmdlet completes, you can navigate to the storage location specified in the cmdlet to get detailed information on about the issue and logs. Azure Network Watcher creates a zip folder that contains the following log files:

-![1][1]

-Open the file called IKEErrors.txt and it displays the following error, indicating an issue with on-premises IKE setting misconfiguration.

- based on log : Peer sent NO_PROPOSAL_CHOSEN notify

-You can get detailed information from the Scrubbed-wfpdiag.txt about the error, as in this case it mentions that there was `ERROR_IPSEC_IKE_POLICY_MATCH` that lead to connection not working properly.

-Another common misconfiguration is the specifying incorrect shared keys. If in the preceding example you had specified different shared keys, the IKEErrors.txt shows the following error: `Error: Authentication failed. Check shared key`.

-Azure Network Watcher troubleshoot feature enables you to diagnose and troubleshoot your VPN Gateway and Connection with the ease of a simple PowerShell cmdlet. Currently, we support diagnosing the following conditions and are working towards adding more condition.

-### Gateway

-| Fault Type | Reason | Log|

-||||

-| NoFault | No error is detected |Yes|

-| GatewayNotFound | Cannot find Gateway or Gateway is not provisioned. |No|

-| PlannedMaintenance | Gateway instance is under maintenance. |No|

-| UserDrivenUpdate | A user update is in progress. This could be a resize operation. | No |

-| VipUnResponsive | Cannot reach the primary instance of the Gateway. This happens when the health probe fails. | No |

-| PlatformInActive | There is an issue with the platform. | No|

-| ServiceNotRunning | The underlying service is not running. | No|

-| NoConnectionsFoundForGateway | No Connections exists on the gateway. This is only a warning.| No|

-| ConnectionsNotConnected | None of the Connections is connected. This is only a warning.| Yes|

-| GatewayCPUUsageExceeded | The current Gateway usage CPU usage is > 95%. | Yes |

-### Connection

-| Fault Type | Reason | Log|

-||||

-| NoFault | No error is detected. |Yes|

-| GatewayNotFound | Cannot find Gateway or Gateway is not provisioned. |No|

-| PlannedMaintenance | Gateway instance is under maintenance. |No|

-| UserDrivenUpdate | A user update is in progress. This could be a resize operation. | No |

-| VipUnResponsive | Cannot reach the primary instance of the Gateway. It happens when the health probe fails. | No |

-| ConnectionEntityNotFound | Connection configuration is missing. | No |

-| ConnectionIsMarkedDisconnected | The Connection is marked "disconnected." |No|

-| ConnectionNotConfiguredOnGateway | The underlying service does not have the Connection configured. | Yes |

-| ConnectionMarkedStandby | The underlying service is marked as standby.| Yes|

-| Authentication | Preshared Key mismatch. | Yes|

-| PeerReachability | The peer gateway is not reachable. | Yes|

-| IkePolicyMismatch | The peer gateway has IKE policies that are not supported by Azure. | Yes|

-| WfpParse Error | An error occurred parsing the WFP log. |Yes|

-## Next steps

-Learn to check VPN Gateway connectivity with PowerShell and Azure Automation by visiting [Monitor VPN gateways with Azure Network Watcher troubleshooting](network-watcher-monitor-with-azure-automation.md)

-[1]: ./media/network-watcher-diagnose-on-premises-connectivity/figure1.png

-#Customer intent: As an experienced Python developer, I want to use Azure Open Datasets in my ML workflows for improved model accuracy.

-In this article, you learn how to bring curated enrichment data into your local or remote machine learning experiments with [Azure Machine Learning](../machine-learning/overview-what-is-azure-machine-learning.md) datasets and [Azure Open Datasets](./index.yml).

-* Don't risk unintentionally changing your original data sources.

-The following code shows that the MNIST `opendatasets` class can return either a `TabularDataset` or `FileDataset`.

-To register your datasets with a workspace, use the [`register()`](/python/api/azureml-core/azureml.data.abstract_dataset.abstractdataset#register-workspace--name--description-none--tags-none--create-new-version-false-) method.